After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 765379 - Integer overflow when calculating years
Integer overflow when calculating years
Status: RESOLVED FIXED
Product: libxslt
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2016-04-21 14:59 UTC by Nicolas Gregoire
Modified: 2017-05-18 16:29 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
PoC XSLT (247 bytes, application/xml)
2016-04-21 14:59 UTC, Nicolas Gregoire 		Details

Description Nicolas Gregoire 2016-04-21 14:59:39 UTC 
Created attachment 326496 [details]
PoC XSLT

When calculated, years are manipulated by "dates-and-times" functions as signed long. Their maximum value (on x64) is _I64_MAX aka 9223372036854775807. Values greater than _I64_MAX are accepted and will trigger an integer overflow, wrapping to negative values. If the value is greater than _UI64_MAX aka 18446744073709553592, the number is positive again.

That doesn't seem to have any security impact.

PoC (18446744073709553592 = _UI64_MAX + 1976):

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:date="http://exslt.org/dates-and-times">
 <xsl:template match="/">
 <xsl:value-of select="date:year('18446744073709553592')"/>
 </xsl:template>
</xsl:stylesheet>

Repro:

$ xsltproc x-year_long_overflow.xsl  empty.xml
<?xml version="1.0"?>
1976
Comment 1 Nick Wellnhofer 2017-05-18 16:29:36 UTC 
Should be fixed with the following commit:

https://git.gnome.org/browse/libxslt/commit/?id=d86cb0b5d75e0312f4e22d23af56c3a76f689edb