... | ... |
@@ -1450,6 +1450,8 @@ static int cli_html_normalise(int fd, m_area_t *m_area, const char *dirname, tag |
1450 | 1450 |
next_state = HTML_BAD_STATE; |
1451 | 1451 |
ptr++; |
1452 | 1452 |
} else if (isdigit(*ptr) || (hex && isxdigit(*ptr))) { |
1453 |
+ int64_t increment = 0; |
|
1454 |
+ |
|
1453 | 1455 |
if (hex && (value >> 32) * 16 < INT32_MAX) { |
1454 | 1456 |
value *= 16; |
1455 | 1457 |
} else if ((value >> 32) * 10 < INT32_MAX) { |
... | ... |
@@ -1462,10 +1464,19 @@ static int cli_html_normalise(int fd, m_area_t *m_area, const char *dirname, tag |
1462 | 1462 |
break; |
1463 | 1463 |
} |
1464 | 1464 |
if (isdigit(*ptr)) { |
1465 |
- value += (*ptr - '0'); |
|
1465 |
+ increment = *ptr - '0'; |
|
1466 | 1466 |
} else { |
1467 |
- value += (tolower(*ptr) - 'a' + 10); |
|
1467 |
+ increment = tolower(*ptr) - 'a' + 10; |
|
1468 |
+ } |
|
1469 |
+ if (value > INT64_MAX - increment) { |
|
1470 |
+ /* Addition would result in integer overflow. */ |
|
1471 |
+ html_output_c(file_buff_o2, value); |
|
1472 |
+ state = next_state; |
|
1473 |
+ next_state = HTML_BAD_STATE; |
|
1474 |
+ ptr++; |
|
1475 |
+ break; |
|
1468 | 1476 |
} |
1477 |
+ value += increment; |
|
1469 | 1478 |
ptr++; |
1470 | 1479 |
} else { |
1471 | 1480 |
html_output_c(file_buff_o2, value); |