40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Mon, 3 Aug 2020 17:30:41 +0200
|
|
Subject: [PATCH] Fix integer overflow when comparing schema dates
|
|
|
|
Found by OSS-Fuzz.
|
|
---
|
|
xmlschemastypes.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
|
|
index 4249d7000..d6b9f924e 100644
|
|
--- a/xmlschemastypes.c
|
|
+++ b/xmlschemastypes.c
|
|
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
|
|
minday = 0;
|
|
maxday = 0;
|
|
} else {
|
|
+ if (myear > LONG_MAX / 366)
|
|
+ return -2;
|
|
/* FIXME: This doesn't take leap year exceptions every 100/400 years
|
|
into account. */
|
|
maxday = 365 * myear + (myear + 3) / 4;
|
|
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
|
|
if ((x == NULL) || (y == NULL))
|
|
return -2;
|
|
|
|
+ if ((x->value.date.year > LONG_MAX / 366) ||
|
|
+ (x->value.date.year < LONG_MIN / 366) ||
|
|
+ (y->value.date.year > LONG_MAX / 366) ||
|
|
+ (y->value.date.year < LONG_MIN / 366)) {
|
|
+ /* Possible overflow when converting to days. */
|
|
+ return -2;
|
|
+ }
|
|
+
|
|
if (x->value.date.tz_flag) {
|
|
|
|
if (!y->value.date.tz_flag) {
|
|
--
|
|
GitLab
|