Bug 783015 – Integer-overflow in xmlFAParseQuantExact

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 783015 - Integer-overflow in xmlFAParseQuantExact


Summary:	Integer-overflow in xmlFAParseQuantExact


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	regexp
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:

URL:	https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard:

Depends on:
Blocks:

Reported:	2017-05-23 20:36 UTC by David Kilzer
Modified:	2020-07-02 10:07 UTC

See Also:	316338
GNOME target:	---
GNOME version:	---

Description David Kilzer 2017-05-23 20:36:18 UTC

Using a regex with an {nnn} expression where 'nnn' is larger than INT_MAX, an integer overflow occurs in xmlFAParseQuantExact() (found by oss-fuzz running with UBSan):

static int
xmlFAParseQuantExact(xmlRegParserCtxtPtr ctxt) {
    int ret = 0;
    int ok = 0;

    while ((CUR >= '0') && (CUR <= '9')) {
	ret = ret * 10 + (CUR - '0');  // Integer overflow.
	ok = 1;
	NEXT;
    }
    if (ok != 1) {
	return(-1);
    }
    return(ret);
}

A sample test case would be:

.{4294967295}

Imported from:  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=520

Comment 1 David Kilzer 2020-07-02 03:22:09 UTC

See also:  <https://gitlab.gnome.org/GNOME/libxml2/-/commit/1e7851b5aea4b2d8b9a6b6c02187fc4786f7a8b7>