[libxml2/ddkilzer/oss-fuzz-44803-integer-overflow-in-xmlSkipBlankChars: 3/3] Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()

[David Kilzer <ddkilzer src gnome org>]

commit 44e9118c023ae3697fc40276ab3a50b44477986c
Author: David Kilzer <ddkilzer webkit org>
Date:   Fri Apr 8 12:33:17 2022 -0700

    Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()
    
    * HTMLparser.c:
    (htmlSkipBlankChars):
    * parser.c:
    (xmlSkipBlankChars):
    - Cap the return value at INT_MAX.
    - The commit range that OSS-Fuzz listed for the fix didn't make
      any changes to xmlSkipBlankChars(), so it seems like this
      issue may still exist.
    
    Found by OSS-Fuzz Issue 44803.

 HTMLparser.c | 3 ++-
 parser.c     | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index 9bd0fb34..9079fa8a 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -598,7 +598,8 @@ htmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
            if (*ctxt->input->cur == 0)
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
        }
-       res++;
+       if (res < INT_MAX)
+           res++;
     }
     return(res);
 }
diff --git a/parser.c b/parser.c
index 230872f4..1bea54eb 100644
--- a/parser.c
+++ b/parser.c
@@ -2202,7 +2202,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
                ctxt->input->col++;
            }
            cur++;
-           res++;
+           if (res < INT_MAX)
+               res++;
            if (*cur == 0) {
                ctxt->input->cur = cur;
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
@@ -2238,7 +2239,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
              * by the attachment of one leading and one following space (#x20)
              * character."
              */
-           res++;
+           if (res < INT_MAX)
+               res++;
         }
     }
     return(res);