c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Integer overflow parsing port number in URI

Browse Source 
For https://bugzilla.gnome.org/show_bug.cgi?id=765566

in xmlParse3986Port(), uri->port can overflow when parsing a the port number.
The type of uri->port is int, so the consequent behavior is undefined and
may differ between compilers and architectures
This commit is contained in:
Michael Paddon 2016-05-21 17:16:05 +08:00 committed by Daniel Veillard
parent 8effcb578e
commit 846cf015a7
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
uri.c
View File

@ -314,7 +314,7 @@ xmlParse3986Query(xmlURIPtr uri, const char **str)
* @uri: pointer to an URI structure * @uri: pointer to an URI structure
* @str: the string to analyze * @str: the string to analyze
* *
* Parse a port part and fills in the appropriate fields * Parse a port part and fills in the appropriate fields
* of the @uri structure * of the @uri structure
* *
* port = *DIGIT * port = *DIGIT
@ -325,15 +325,16 @@ static int
xmlParse3986Port(xmlURIPtr uri, const char **str) xmlParse3986Port(xmlURIPtr uri, const char **str)
{ {
const char *cur = *str; const char *cur = *str;
unsigned port = 0; /* unsigned for defined overflow behavior */
if (ISA_DIGIT(cur)) { if (ISA_DIGIT(cur)) {
if (uri != NULL)
uri->port = 0;
while (ISA_DIGIT(cur)) { while (ISA_DIGIT(cur)) {
if (uri != NULL) port = port * 10 + (*cur - '0');
uri->port = uri->port * 10 + (*cur - '0');
cur++; cur++;
} }
if (uri != NULL)
uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
*str = cur; *str = cur;
return(0); return(0);
} }