From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Aug 2020 17:30:41 +0200
Subject: [PATCH] Fix integer overflow when comparing schema dates

Found by OSS-Fuzz.
---
 xmlschemastypes.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 4249d700..d6b9f924 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
 	minday = 0;
 	maxday = 0;
     } else {
+        if (myear > LONG_MAX / 366)
+            return -2;
         /* FIXME: This doesn't take leap year exceptions every 100/400 years
            into account. */
 	maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
     if ((x == NULL) || (y == NULL))
         return -2;
 
+    if ((x->value.date.year > LONG_MAX / 366) ||
+        (x->value.date.year < LONG_MIN / 366) ||
+        (y->value.date.year > LONG_MAX / 366) ||
+        (y->value.date.year < LONG_MIN / 366)) {
+        /* Possible overflow when converting to days. */
+        return -2;
+    }
+
     if (x->value.date.tz_flag) {
 
         if (!y->value.date.tz_flag) {
-- 
2.28.0.rc2