[libxml2] Check for integer overflow in xmlXPathFormatNumber
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Check for integer overflow in xmlXPathFormatNumber
- Date: Thu, 1 Jun 2017 20:15:18 +0000 (UTC)
commit 7482f41f61d733656d588b4d8c300b1ecdff7f5f
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Thu Jun 1 22:00:19 2017 +0200
Check for integer overflow in xmlXPathFormatNumber
Check for overflow before casting double to int.
Found with afl-fuzz and UBSan.
result/XPath/expr/floats | 8 ++++++++
result/XPath/expr/strings | 8 ++++++++
test/XPath/expr/floats | 2 ++
test/XPath/expr/strings | 2 ++
xpath.c | 3 ++-
5 files changed, 22 insertions(+), 1 deletions(-)
---
diff --git a/result/XPath/expr/floats b/result/XPath/expr/floats
index b6255ce..157bd76 100644
--- a/result/XPath/expr/floats
+++ b/result/XPath/expr/floats
@@ -242,3 +242,11 @@ Object is a number : -1
========================
Expression: 8 mod 3 = 2
Object is a Boolean : true
+
+========================
+Expression: 12345678901234567890
+Object is a number : 1.23457e+19
+
+========================
+Expression: -12345678901234567890
+Object is a number : -1.23457e+19
diff --git a/result/XPath/expr/strings b/result/XPath/expr/strings
index fad7048..1ae5cc4 100644
--- a/result/XPath/expr/strings
+++ b/result/XPath/expr/strings
@@ -20,6 +20,14 @@ Expression: string(false())
Object is a string : false
========================
+Expression: string(12345678901234567890)
+Object is a string : 1.23456789012346e+19
+
+========================
+Expression: string(-12345678901234567890)
+Object is a string : -1.23456789012346e+19
+
+========================
Expression: concat("titi","toto")
Object is a string : tititoto
diff --git a/test/XPath/expr/floats b/test/XPath/expr/floats
index 96c10d1..b447524 100644
--- a/test/XPath/expr/floats
+++ b/test/XPath/expr/floats
@@ -59,3 +59,5 @@ number('f') div 1
-5 mod 2
-5 mod -2
8 mod 3 = 2
+12345678901234567890
+-12345678901234567890
diff --git a/test/XPath/expr/strings b/test/XPath/expr/strings
index 849ca14..ba02c79 100644
--- a/test/XPath/expr/strings
+++ b/test/XPath/expr/strings
@@ -3,6 +3,8 @@ string(0.5)
string(-0.5)
string(true())
string(false())
+string(12345678901234567890)
+string(-12345678901234567890)
concat("titi","toto")
concat("titi","toto","tata")
concat("titi",'toto')
diff --git a/xpath.c b/xpath.c
index a60a623..318b5b4 100644
--- a/xpath.c
+++ b/xpath.c
@@ -3106,7 +3106,8 @@ xmlXPathFormatNumber(double number, char buffer[], int buffersize)
snprintf(buffer, buffersize, "NaN");
} else if (number == 0 && xmlXPathGetSign(number) != 0) {
snprintf(buffer, buffersize, "0");
- } else if (number == ((int) number)) {
+ } else if ((number > INT_MIN) && (number < INT_MAX) &&
+ (number == (int) number)) {
char work[30];
char *ptr, *cur;
int value = (int) number;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]