Fix integer overflow in htmlParseCharRef

Fixes #115.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2020-06-15 18:47:53 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2020-06-15 21:23:54 +0200
commit: 31ca4a728cf96c9a341d0bfe489d2c0ba71dc6ff (patch)
tree: ea7d8707f1feeb8d9094d685c32c3c38abc209d8 /HTMLparser.c
parent: 2f9382033e4c398dd1c9aae4d24fa9f649fbf23d (diff)
download: libxml2-31ca4a728cf96c9a341d0bfe489d2c0ba71dc6ff.tar.gz
1 files changed, 17 insertions, 10 deletions
diff --git a/HTMLparser.c b/HTMLparser.c
index 5dd62df1..be7e14f2 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -3400,13 +3400,16 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
         ((NXT(2) == 'x') || NXT(2) == 'X')) {
 	SKIP(3);
 	while (CUR != ';') {
-	    if ((CUR >= '0') && (CUR <= '9'))
-	        val = val * 16 + (CUR - '0');
-	    else if ((CUR >= 'a') && (CUR <= 'f'))
-	        val = val * 16 + (CUR - 'a') + 10;
-	    else if ((CUR >= 'A') && (CUR <= 'F'))
-	        val = val * 16 + (CUR - 'A') + 10;
-	    else {
+	    if ((CUR >= '0') && (CUR <= '9')) {
+                if (val < 0x110000)
+	            val = val * 16 + (CUR - '0');
+            } else if ((CUR >= 'a') && (CUR <= 'f')) {
+                if (val < 0x110000)
+	            val = val * 16 + (CUR - 'a') + 10;
+            } else if ((CUR >= 'A') && (CUR <= 'F')) {
+                if (val < 0x110000)
+	            val = val * 16 + (CUR - 'A') + 10;
+            } else {
 	        htmlParseErr(ctxt, XML_ERR_INVALID_HEX_CHARREF,
 		             "htmlParseCharRef: missing semicolon\n",
 			     NULL, NULL);
@@ -3419,9 +3422,10 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
     } else if  ((CUR == '&') && (NXT(1) == '#')) {
 	SKIP(2);
 	while (CUR != ';') {
-	    if ((CUR >= '0') && (CUR <= '9'))
-	        val = val * 10 + (CUR - '0');
-	    else {
+	    if ((CUR >= '0') && (CUR <= '9')) {
+                if (val < 0x110000)
+	            val = val * 10 + (CUR - '0');
+            } else {
 	        htmlParseErr(ctxt, XML_ERR_INVALID_DEC_CHARREF,
 		             "htmlParseCharRef: missing semicolon\n",
 			     NULL, NULL);
@@ -3440,6 +3444,9 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
      */
     if (IS_CHAR(val)) {
         return(val);
+    } else if (val >= 0x110000) {
+	htmlParseErr(ctxt, XML_ERR_INVALID_CHAR,
+		     "htmlParseCharRef: value too large\n", NULL, NULL);
     } else {
 	htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR,
 			"htmlParseCharRef: invalid xmlChar value %d\n",
author	Nick Wellnhofer <wellnhofer@aevum.de>	2020-06-15 18:47:53 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2020-06-15 21:23:54 +0200
commit	31ca4a728cf96c9a341d0bfe489d2c0ba71dc6ff (patch)
tree	ea7d8707f1feeb8d9094d685c32c3c38abc209d8 /HTMLparser.c
parent	2f9382033e4c398dd1c9aae4d24fa9f649fbf23d (diff)
download	libxml2-31ca4a728cf96c9a341d0bfe489d2c0ba71dc6ff.tar.gz