Hi, Not a big deal, but it's better not to accept a bogus "4294967297" and silently map it to "1". Don't accept an arbitrarily-long string of digits. * src/xml.c (parseNumber): Detect overflow. diff --git a/src/xml.c b/src/xml.c index 3e92040..5011dc2 100644 --- a/src/xml.c +++ b/src/xml.c @@ -1,7 +1,7 @@ /* * xml.c: XML based interfaces for the libvir library * - * Copyright (C) 2005 Red Hat, Inc. + * Copyright (C) 2005, 2007 Red Hat, Inc. * * See COPYING.LIB for the License of this software * @@ -77,7 +77,7 @@ skipSpaces(const char **str) { * * Parse a number * - * Returns the CPU number or -1 in case of error. @str will be + * Returns the unsigned number or -1 in case of error. @str will be * updated to skip the number. */ static int @@ -89,8 +89,11 @@ parseNumber(const char **str) { return(-1); while ((*cur >= '0') && (*cur <= '9')) { - ret = ret * 10 + (*cur - '0'); - cur++; + unsigned int c = *cur - '0'; + if (ret > INT_MAX / 10 || (ret == INT_MAX / 10 && c > INT_MAX % 10)) + return(-1); + ret = ret * 10 + c; + cur++; } *str = cur; return(ret);