Integer overflow parsing port number in URI

For https://bugzilla.gnome.org/show_bug.cgi?id=765566 in xmlParse3986Port(), uri->port can overflow when parsing a the port number. The type of uri->port is int, so the consequent behavior is undefined and may differ between compilers and architectures
2025-02-09 17:57:24 +03:00 · 2016-05-21 17:16:05 +08:00 · 2016-05-21 17:16:05 +08:00 · 846cf015a7
commit 846cf015a7
parent 8effcb578e
1 changed files with 6 additions and 5 deletions
--- a/uri.c
+++ b/uri.c
@ -314,7 +314,7 @@ xmlParse3986Query(xmlURIPtr uri, const char **str)
 * @uri:  pointer to an URI structure
 * @str:  the string to analyze
 *
- * Parse a port  part and fills in the appropriate fields
+ * Parse a port part and fills in the appropriate fields
 * of the @uri structure
 *
 * port          = *DIGIT
@ -325,15 +325,16 @@ static int
 xmlParse3986Port(xmlURIPtr uri, const char **str)
 {
    const char *cur = *str;
+    unsigned port = 0; /* unsigned for defined overflow behavior */

    if (ISA_DIGIT(cur)) {
-	if (uri != NULL)
-	    uri->port = 0;
 	while (ISA_DIGIT(cur)) {
-	    if (uri != NULL)
-		uri->port = uri->port * 10 + (*cur - '0');
+	    port = port * 10 + (*cur - '0');
+
 	    cur++;
 	}
+	if (uri != NULL)
+	    uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
 	*str = cur;
 	return(0);
    }