Subject: [PATCH] avoid triggering signed integer overflow I found the following problems when I was doing the fuzzy test of wget. The value of timeout is of the int type, and the value is not checked during multiplication. When the value of timeout is too large, multiplication overflow occurs when multiplying the value by 10.
Signed-off-by: Chengliang Zhu <zhuchenglia...@huawei.com> Signed-off-by: Aichun Li <liaic...@huawei.com<mailto:liaic...@huawei.com>> --- src/html-url.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/html-url.c b/src/html-url.c index 2f95357..409f2a0 100644 --- a/src/html-url.c +++ b/src/html-url.c @@ -596,7 +596,11 @@ tag_handle_meta (int tagid _GL_UNUSED, struct taginfo *tag, struct map_context * return; for (p = refresh; c_isdigit (*p); p++) - timeout = 10 * timeout + *p - '0'; + { + if (timeout > INT_MAX >> 4 || *p - '0' > INT_MAX - 10 * timeout) + return; + timeout = 10 * timeout + *p - '0'; + } if (*p++ != ';') return;
