Integer overflow parsing port number in URI

For https://bugzilla.gnome.org/show_bug.cgi?id=765566 in xmlParse3986Port(), uri->port can overflow when parsing a the port number. The type of uri->port is int, so the consequent behavior is undefined and may differ between compilers and architectures
author: Michael Paddon <mwp@chromium.org> 2016-05-21 17:16:05 +0800
committer: Daniel Veillard <veillard@redhat.com> 2016-05-21 17:18:15 +0800
commit: 846cf015a77b9bca7b90c17c1f608ece3e268dad (patch)
tree: 6603cc4c8b59969c39905b39afab02921ccf44e2
parent: 8effcb578e0590cc01bbcab0f9dccefc6bdbcdbd (diff)
download: libxml2-846cf015a77b9bca7b90c17c1f608ece3e268dad.tar.gz
1 files changed, 6 insertions, 5 deletions
diff --git a/uri.c b/uri.c
index ff47abbe..2bd5720d 100644
--- a/uri.c
+++ b/uri.c
@@ -314,7 +314,7 @@ xmlParse3986Query(xmlURIPtr uri, const char **str)
  * @uri:  pointer to an URI structure
  * @str:  the string to analyze
  *
- * Parse a port  part and fills in the appropriate fields
+ * Parse a port part and fills in the appropriate fields
  * of the @uri structure
  *
  * port          = *DIGIT
@@ -325,15 +325,16 @@ static int
 xmlParse3986Port(xmlURIPtr uri, const char **str)
 {
     const char *cur = *str;
+    unsigned port = 0; /* unsigned for defined overflow behavior */
 
     if (ISA_DIGIT(cur)) {
-	if (uri != NULL)
-	    uri->port = 0;
 	while (ISA_DIGIT(cur)) {
-	    if (uri != NULL)
-		uri->port = uri->port * 10 + (*cur - '0');
+	    port = port * 10 + (*cur - '0');
+
 	    cur++;
 	}
+	if (uri != NULL)
+	    uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
 	*str = cur;
 	return(0);
     }
author	Michael Paddon <mwp@chromium.org>	2016-05-21 17:16:05 +0800
committer	Daniel Veillard <veillard@redhat.com>	2016-05-21 17:18:15 +0800
commit	846cf015a77b9bca7b90c17c1f608ece3e268dad (patch)
tree	6603cc4c8b59969c39905b39afab02921ccf44e2
parent	8effcb578e0590cc01bbcab0f9dccefc6bdbcdbd (diff)
download	libxml2-846cf015a77b9bca7b90c17c1f608ece3e268dad.tar.gz