After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 783015 - Integer-overflow in xmlFAParseQuantExact
Integer-overflow in xmlFAParseQuantExact
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: regexp
git master
Other All
: Normal normal
: ---
Assigned To: Daniel Veillard
https://bugs.chromium.org/p/oss-fuzz/...
Depends on:
Blocks:
 
 
Reported: 2017-05-23 20:36 UTC by David Kilzer
Modified: 2020-07-02 10:07 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description David Kilzer 2017-05-23 20:36:18 UTC
Using a regex with an {nnn} expression where 'nnn' is larger than INT_MAX, an integer overflow occurs in xmlFAParseQuantExact() (found by oss-fuzz running with UBSan):

static int
xmlFAParseQuantExact(xmlRegParserCtxtPtr ctxt) {
    int ret = 0;
    int ok = 0;

    while ((CUR >= '0') && (CUR <= '9')) {
	ret = ret * 10 + (CUR - '0');  // Integer overflow.
	ok = 1;
	NEXT;
    }
    if (ok != 1) {
	return(-1);
    }
    return(ret);
}

A sample test case would be:

.{4294967295}

Imported from:  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=520