libxml2/Fix-unsigned-integer-overflow-in-htmlParseTryOrFinis.patch

From 681f094e5bd1d0f6b38b27701d0d1bf1ca7a9a26 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 15 Jun 2020 15:23:05 +0200
Subject: [PATCH] Fix unsigned integer overflow in htmlParseTryOrFinish

Cast to signed type before subtraction to avoid unsigned integer
overflow. Also use ptrdiff_t to avoid potential integer truncation.

Found with libFuzzer and UBSan.
---
 HTMLparser.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index be7e14f..9ade663 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -5339,7 +5339,7 @@ static int
 htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
     int ret = 0;
     htmlParserInputPtr in;
-    int avail = 0;
+    ptrdiff_t avail = 0;
     xmlChar cur, next;
 
     htmlParserNodeInfo node_info;
@@ -5404,7 +5404,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
 	if (in->buf == NULL)
 	    avail = in->length - (in->cur - in->base);
 	else
-	    avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+	    avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                    (in->cur - in->base);
 	if ((avail == 0) && (terminate)) {
 	    htmlAutoCloseOnEnd(ctxt);
 	    if ((ctxt->nameNr == 0) && (ctxt->instate != XML_PARSER_EOF)) {
@@ -5440,7 +5441,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
 		    if (in->buf == NULL)
 			avail = in->length - (in->cur - in->base);
 		    else
-			avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+			avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                                (in->cur - in->base);
 		}
 		if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))
 		    ctxt->sax->setDocumentLocator(ctxt->userData,
@@ -5482,7 +5484,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
 		if (in->buf == NULL)
 		    avail = in->length - (in->cur - in->base);
 		else
-		    avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+		    avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
 		/*
 		 * no chars in buffer
 		 */
@@ -5555,7 +5558,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
 		if (in->buf == NULL)
 		    avail = in->length - (in->cur - in->base);
 		else
-		    avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+		    avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
 		if (avail < 2)
 		    goto done;
 		cur = in->cur[0];
@@ -5596,7 +5600,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
 		if (in->buf == NULL)
 		    avail = in->length - (in->cur - in->base);
 		else
-		    avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+		    avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
 		if (avail < 1)
 		    goto done;
 		cur = in->cur[0];
-- 
1.8.3.1
fix issues about SEGV, memleak, overflow, etc. 2021-11-11 20:19:02 +08:00			`From 681f094e5bd1d0f6b38b27701d0d1bf1ca7a9a26 Mon Sep 17 00:00:00 2001`
			`From: Nick Wellnhofer <wellnhofer@aevum.de>`
			`Date: Mon, 15 Jun 2020 15:23:05 +0200`
			`Subject: [PATCH] Fix unsigned integer overflow in htmlParseTryOrFinish`

			`Cast to signed type before subtraction to avoid unsigned integer`
			`overflow. Also use ptrdiff_t to avoid potential integer truncation.`

			`Found with libFuzzer and UBSan.`
			`---`
			`HTMLparser.c \| 17 +++++++++++------`
			`1 file changed, 11 insertions(+), 6 deletions(-)`

			`diff --git a/HTMLparser.c b/HTMLparser.c`
			`index be7e14f..9ade663 100644`
			`--- a/HTMLparser.c`
			`+++ b/HTMLparser.c`
			`@@ -5339,7 +5339,7 @@ static int`
			`htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {`
			`int ret = 0;`
			`htmlParserInputPtr in;`
			`- int avail = 0;`
			`+ ptrdiff_t avail = 0;`
			`xmlChar cur, next;`

			`htmlParserNodeInfo node_info;`
			`@@ -5404,7 +5404,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {`
			`if (in->buf == NULL)`
			`avail = in->length - (in->cur - in->base);`
			`else`
			`- avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);`
			`+ avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -`
			`+ (in->cur - in->base);`
			`if ((avail == 0) && (terminate)) {`
			`htmlAutoCloseOnEnd(ctxt);`
			`if ((ctxt->nameNr == 0) && (ctxt->instate != XML_PARSER_EOF)) {`
			`@@ -5440,7 +5441,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {`
			`if (in->buf == NULL)`
			`avail = in->length - (in->cur - in->base);`
			`else`
			`- avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);`
			`+ avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -`
			`+ (in->cur - in->base);`
			`}`
			`if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))`
			`ctxt->sax->setDocumentLocator(ctxt->userData,`
			`@@ -5482,7 +5484,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {`
			`if (in->buf == NULL)`
			`avail = in->length - (in->cur - in->base);`
			`else`
			`- avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);`
			`+ avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -`
			`+ (in->cur - in->base);`
			`/*`
			`* no chars in buffer`
			`*/`
			`@@ -5555,7 +5558,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {`
			`if (in->buf == NULL)`
			`avail = in->length - (in->cur - in->base);`
			`else`
			`- avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);`
			`+ avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -`
			`+ (in->cur - in->base);`
			`if (avail < 2)`
			`goto done;`
			`cur = in->cur[0];`
			`@@ -5596,7 +5600,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {`
			`if (in->buf == NULL)`
			`avail = in->length - (in->cur - in->base);`
			`else`
			`- avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);`
			`+ avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -`
			`+ (in->cur - in->base);`
			`if (avail < 1)`
			`goto done;`
			`cur = in->cur[0];`
			`--`
			`1.8.3.1`