LibXML: Fail gracefully on integer overflow in character references

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47738
2025-05-31 16:28:11 +00:00 · 2022-07-10 19:48:02 +03:00 · 2022-07-10 19:48:02 +03:00 · 18d25124bf
commit 18d25124bf
parent 1d96c30488
2 changed files with 14 additions and 5 deletions
--- a/Userland/Libraries/LibXML/Parser/Parser.cpp
+++ b/Userland/Libraries/LibXML/Parser/Parser.cpp
@ -758,26 +758,26 @@ ErrorOr<Variant<Parser::EntityReference, String>, ParseError> Parser::parse_refe
    auto name_result = parse_name();
    if (name_result.is_error()) {
        TRY(expect("#"));
-        u32 code_point;
+        Optional<u32> code_point;
        if (m_lexer.consume_specific('x')) {
            auto hex = TRY(expect_many(
                ranges_for_search<Range('0', '9'), Range('a', 'f'), Range('A', 'F')>(),
                "any of [0-9a-fA-F]"));
-            code_point = *AK::StringUtils::convert_to_uint_from_hex<u32>(hex);
+            code_point = AK::StringUtils::convert_to_uint_from_hex<u32>(hex);
        } else {
            auto decimal = TRY(expect_many(
                ranges_for_search<Range('0', '9')>(),
                "any of [0-9]"));
-            code_point = *decimal.to_uint<u32>();
+            code_point = decimal.to_uint<u32>();
        }

-        if (!s_characters.contains(code_point))
+        if (!code_point.has_value() || !s_characters.contains(*code_point))
            return parse_error(reference_start, "Invalid character reference");

        TRY(expect(";"));

        StringBuilder builder;
-        builder.append_code_point(code_point);
+        builder.append_code_point(*code_point);

        rollback.disarm();
        return builder.to_string();