From 0ae7f4f53720e867c92ac9465062285293568856 Mon Sep 17 00:00:00 2001
From: Vicent Marti <tanoku@gmail.com>
Date: Wed, 10 Sep 2014 20:02:01 +0200
Subject: Handle overflows in the codepoint parser

---
 src/html/houdini_html_u.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'src/html')

diff --git a/src/html/houdini_html_u.c b/src/html/houdini_html_u.c
index b8e2d8d..49b4956 100644
--- a/src/html/houdini_html_u.c
+++ b/src/html/houdini_html_u.c
@@ -15,13 +15,25 @@ houdini_unescape_ent(strbuf *ob, const uint8_t *src, size_t size)
 		int codepoint = 0;
 
 		if (_isdigit(src[1])) {
-			for (i = 1; i < size && _isdigit(src[i]); ++i)
-				codepoint = (codepoint * 10) + (src[i] - '0');
+			for (i = 1; i < size && _isdigit(src[i]); ++i) {
+				int cp = (codepoint * 10) + (src[i] - '0');
+
+				if (cp < codepoint)
+					return 0;
+
+				codepoint = cp;
+			}
 		}
 
 		else if (src[1] == 'x' || src[1] == 'X') {
-			for (i = 2; i < size && _isxdigit(src[i]); ++i)
-				codepoint = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
+			for (i = 2; i < size && _isxdigit(src[i]); ++i) {
+				int cp = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
+
+				if (cp < codepoint)
+					return 0;
+
+				codepoint = cp;
+			}
 		}
 
 		if (i < size && src[i] == ';' && codepoint) {
-- 
cgit v1.2.3