c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Check XPath exponents for overflow

Browse Source 
Avoid undefined behavior and wrong results with huge exponents.

Found with afl-fuzz and UBSan.
This commit is contained in:
Nick Wellnhofer 2016-04-21 16:37:26 +02:00
parent a58331a6ee
commit f4029cd413
3 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
result/XPath/expr/base
View File

@ -31,6 +31,38 @@ Object is a number : 1e-51
Expression: -0.000000000000000000000000000000000000000000000000001
Object is a number : -1e-51
========================
Expression: 1e2147483648
Object is a number : Infinity
========================
Expression: 1e4294967296
Object is a number : Infinity
========================
Expression: 1e9223372036854775808
Object is a number : Infinity
========================
Expression: 1e18446744073709551616
Object is a number : Infinity
========================
Expression: 1e-2147483649
Object is a number : 0
========================
Expression: 1e-4294967296
Object is a number : 0
========================
Expression: 1e-9223372036854775809
Object is a number : 0
========================
Expression: 1e-18446744073709551616
Object is a number : 0
========================
Expression: self::-name
Object is empty (NULL)

8
test/XPath/expr/base
View File

@ -6,4 +6,12 @@
1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
0.000000000000000000000000000000000000000000000000001
-0.000000000000000000000000000000000000000000000000001
1e2147483648
1e4294967296
1e9223372036854775808
1e18446744073709551616
1e-2147483649
1e-4294967296
1e-9223372036854775809
1e-18446744073709551616
self::-name

6
xpath.c
View File

@ -10151,7 +10151,8 @@ xmlXPathStringEvalNumber(const xmlChar *str) {
cur++;
}
while ((*cur >= '0') && (*cur <= '9')) {
exponent = exponent * 10 + (*cur - '0');
if (exponent < 1000000)
exponent = exponent * 10 + (*cur - '0');
cur++;
}
}
@ -10245,7 +10246,8 @@ xmlXPathCompNumber(xmlXPathParserContextPtr ctxt)
NEXT;
}
while ((CUR >= '0') && (CUR <= '9')) {
exponent = exponent * 10 + (CUR - '0');
if (exponent < 1000000)
exponent = exponent * 10 + (CUR - '0');
NEXT;
}
if (is_exponent_negative)