diff options
author | Michael Paddon <mwp@chromium.org> | 2016-05-21 17:16:05 +0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2016-05-21 17:18:15 +0800 |
commit | 846cf015a77b9bca7b90c17c1f608ece3e268dad (patch) | |
tree | 6603cc4c8b59969c39905b39afab02921ccf44e2 | |
parent | 8effcb578e0590cc01bbcab0f9dccefc6bdbcdbd (diff) | |
download | libxml2-846cf015a77b9bca7b90c17c1f608ece3e268dad.tar.gz |
Integer overflow parsing port number in URI
For https://bugzilla.gnome.org/show_bug.cgi?id=765566
in xmlParse3986Port(), uri->port can overflow when parsing a the port number.
The type of uri->port is int, so the consequent behavior is undefined and
may differ between compilers and architectures
-rw-r--r-- | uri.c | 11 |
1 files changed, 6 insertions, 5 deletions
@@ -314,7 +314,7 @@ xmlParse3986Query(xmlURIPtr uri, const char **str) * @uri: pointer to an URI structure * @str: the string to analyze * - * Parse a port part and fills in the appropriate fields + * Parse a port part and fills in the appropriate fields * of the @uri structure * * port = *DIGIT @@ -325,15 +325,16 @@ static int xmlParse3986Port(xmlURIPtr uri, const char **str) { const char *cur = *str; + unsigned port = 0; /* unsigned for defined overflow behavior */ if (ISA_DIGIT(cur)) { - if (uri != NULL) - uri->port = 0; while (ISA_DIGIT(cur)) { - if (uri != NULL) - uri->port = uri->port * 10 + (*cur - '0'); + port = port * 10 + (*cur - '0'); + cur++; } + if (uri != NULL) + uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */ *str = cur; return(0); } |