From 18425d3ad5a9bbe5c6e7fd4a9a45691e6c8862d1 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 21 Jun 2020 19:14:23 +0200
Subject: [PATCH 060/139] Fix integer overflow in _xmlSchemaParseGYear

Found with libFuzzer and UBSan.
---
 xmlschemastypes.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 35edfd6..164db94 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -1222,7 +1222,14 @@ _xmlSchemaParseGYear (xmlSchemaValDatePtr dt, const xmlChar **str) {
     firstChar = cur;
 
     while ((*cur >= '0') && (*cur <= '9')) {
-	dt->year = dt->year * 10 + (*cur - '0');
+        int digit = *cur - '0';
+
+        if (dt->year > LONG_MAX / 10)
+            return 2;
+	dt->year *= 10;
+        if (dt->year > LONG_MAX - digit)
+            return 2;
+        dt->year += digit;
 	cur++;
 	digcnt++;
     }
-- 
1.8.3.1