Browse code
fuzz - 13785 - Check to detect potential integer overflow in cli_html_normalise.
Micah Snyder authored on 2019/05/11 06:32:45Showing 1 changed files
| ... | ... |
@@ -1450,6 +1450,8 @@ static int cli_html_normalise(int fd, m_area_t *m_area, const char *dirname, tag |
| 1450 | 1450 |
next_state = HTML_BAD_STATE; |
| 1451 | 1451 |
ptr++; |
| 1452 | 1452 |
} else if (isdigit(*ptr) || (hex && isxdigit(*ptr))) {
|
| 1453 |
+ int64_t increment = 0; |
|
| 1454 |
+ |
|
| 1453 | 1455 |
if (hex && (value >> 32) * 16 < INT32_MAX) {
|
| 1454 | 1456 |
value *= 16; |
| 1455 | 1457 |
} else if ((value >> 32) * 10 < INT32_MAX) {
|
| ... | ... |
@@ -1462,10 +1464,19 @@ static int cli_html_normalise(int fd, m_area_t *m_area, const char *dirname, tag |
| 1462 | 1462 |
break; |
| 1463 | 1463 |
} |
| 1464 | 1464 |
if (isdigit(*ptr)) {
|
| 1465 |
- value += (*ptr - '0'); |
|
| 1465 |
+ increment = *ptr - '0'; |
|
| 1466 | 1466 |
} else {
|
| 1467 |
- value += (tolower(*ptr) - 'a' + 10); |
|
| 1467 |
+ increment = tolower(*ptr) - 'a' + 10; |
|
| 1468 |
+ } |
|
| 1469 |
+ if (value > INT64_MAX - increment) {
|
|
| 1470 |
+ /* Addition would result in integer overflow. */ |
|
| 1471 |
+ html_output_c(file_buff_o2, value); |
|
| 1472 |
+ state = next_state; |
|
| 1473 |
+ next_state = HTML_BAD_STATE; |
|
| 1474 |
+ ptr++; |
|
| 1475 |
+ break; |
|
| 1468 | 1476 |
} |
| 1477 |
+ value += increment; |
|
| 1469 | 1478 |
ptr++; |
| 1470 | 1479 |
} else {
|
| 1471 | 1480 |
html_output_c(file_buff_o2, value); |