GNOME Bugzilla – Bug 314326
integer overflow in xmlXPathFormatNumber
Last modified: 2009-08-15 18:40:50 UTC
Please describe the problem: When trying printing a number that happened to be integer (number == ((int) number)), xmlXPathFormatNumber does a bunch of divide/modulo arithmetic to generate the characters (instead of deferring to printf like it does for numbers with a floating-point portion). This code has an overflow for the case of -2147483648 (0x80000000), since that number has the strange property that -x == x (for machines where sizeof(int) == 4). This means that the code doing if(val < 0) val = -val; in an attempt to get an absolute value fails, and val is still negative. Therefor, val % 10 can be negative (on x86, at least, it is). So when it adds '0' + val % 10 to get digits, the results are... interesting :-) Steps to reproduce: 1. ./testXPath 'string(-2147483648.0)' Actual results: Object is a string : -./,),(-*,( Expected results: Object is a string : -2147483648 Does this happen every time? yes Other information:
I can reproduce it in head, confirmed, Daniel
Okay, fixed, this should be commited to CVS shortly, thanks ! Daniel
This should be closed by release of libxml2-2.6.21, thanks, Daniel