[libxml2] Check XPath exponents for overflow
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Check XPath exponents for overflow
- Date: Thu, 1 Jun 2017 13:01:58 +0000 (UTC)
commit f4029cd413940677a310b48cd6cf6acf9cf33008
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Thu Apr 21 16:37:26 2016 +0200
Check XPath exponents for overflow
Avoid undefined behavior and wrong results with huge exponents.
Found with afl-fuzz and UBSan.
result/XPath/expr/base | 32 ++++++++++++++++++++++++++++++++
test/XPath/expr/base | 8 ++++++++
xpath.c | 6 ++++--
3 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/result/XPath/expr/base b/result/XPath/expr/base
index e2f6389..57c93cf 100644
--- a/result/XPath/expr/base
+++ b/result/XPath/expr/base
@@ -32,5 +32,37 @@ Expression: -0.000000000000000000000000000000000000000000000000001
Object is a number : -1e-51
========================
+Expression: 1e2147483648
+Object is a number : Infinity
+
+========================
+Expression: 1e4294967296
+Object is a number : Infinity
+
+========================
+Expression: 1e9223372036854775808
+Object is a number : Infinity
+
+========================
+Expression: 1e18446744073709551616
+Object is a number : Infinity
+
+========================
+Expression: 1e-2147483649
+Object is a number : 0
+
+========================
+Expression: 1e-4294967296
+Object is a number : 0
+
+========================
+Expression: 1e-9223372036854775809
+Object is a number : 0
+
+========================
+Expression: 1e-18446744073709551616
+Object is a number : 0
+
+========================
Expression: self::-name
Object is empty (NULL)
diff --git a/test/XPath/expr/base b/test/XPath/expr/base
index 823f64b..cc18735 100644
--- a/test/XPath/expr/base
+++ b/test/XPath/expr/base
@@ -6,4 +6,12 @@
1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
0.000000000000000000000000000000000000000000000000001
-0.000000000000000000000000000000000000000000000000001
+1e2147483648
+1e4294967296
+1e9223372036854775808
+1e18446744073709551616
+1e-2147483649
+1e-4294967296
+1e-9223372036854775809
+1e-18446744073709551616
self::-name
diff --git a/xpath.c b/xpath.c
index 82b0eea..a60a623 100644
--- a/xpath.c
+++ b/xpath.c
@@ -10151,7 +10151,8 @@ xmlXPathStringEvalNumber(const xmlChar *str) {
cur++;
}
while ((*cur >= '0') && (*cur <= '9')) {
- exponent = exponent * 10 + (*cur - '0');
+ if (exponent < 1000000)
+ exponent = exponent * 10 + (*cur - '0');
cur++;
}
}
@@ -10245,7 +10246,8 @@ xmlXPathCompNumber(xmlXPathParserContextPtr ctxt)
NEXT;
}
while ((CUR >= '0') && (CUR <= '9')) {
- exponent = exponent * 10 + (CUR - '0');
+ if (exponent < 1000000)
+ exponent = exponent * 10 + (CUR - '0');
NEXT;
}
if (is_exponent_negative)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]