GNOME Bugzilla – Bug 783052
Integer-overflow in xmlStringGetNodeList and xmlStringLenGetNodeList
Last modified: 2017-09-13 17:07:22 UTC
Both xmlStringGetNodeList() and xmlStringLenGetNodeList() contain code that converts characters to a signed integer ('charval'), but doesn't check for overflow: while (tmp != ';') { /* Non input consuming loops */ if ((tmp >= '0') && (tmp <= '9')) charval = charval * 10 + (tmp - '0'); else { xmlTreeErr(XML_TREE_INVALID_DEC, (xmlNodePtr) doc, NULL); charval = 0; break; } [...] } Imported from: <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=592>
Fixed with https://git.gnome.org/browse/libxml2/commit/?id=0fcab658a27c3f0759b89809da1015f9bcbd999a The problem was limited to recovery mode. xmlStringGetNodeList() should have never seen invalid character references in the first place.
Better fix: https://git.gnome.org/browse/libxml2/commit/?id=abbda93c723b337ae647ccb398c23eeb1868add4
and remember, the recover option is for manual one time intervention only I never intended that to be used by default at least in XML parsing mode as it's a clear violation of the XML specification. Daniel