html5lib_shim: validate unicode points for convert_entity

fixes:

* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29865
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29882

Author: Greg Guthe

bleach/html5lib_shim.py

@@ -459,9 +459,22 @@ def convert_entity(value):
     if value[0] == "#":
         if len(value) < 2:
             return None
+
         if value[1] in ("x", "X"):
-            return six.unichr(int(value[2:], 16))
-        return six.unichr(int(value[1:], 10))
+            # hex-encoded code point
+            int_as_string, base = value[2:], 16
+        else:
+            # decimal code point
+            int_as_string, base = value[1:], 10
+
+        if int_as_string == "":
+            return None
+
+        code_point = int(int_as_string, base)
+        if 0 < code_point < 0x110000:
+            return six.unichr(code_point)
+        else:
+            return None
 
     return ENTITIES.get(value, None)
 

tests/test_html5lib_shim.py

@@ -19,6 +19,16 @@
         ("&xx;", "&xx;"),
         # Handles multiple entities in the same string
         ("this & that & that", "this & that & that"),
+        # Handles empty decimal and hex encoded code points
+        ("&#x;", "&#x;"),
+        ("&#;", "&#;"),
+        # Handles too high unicode points
+        ("�", "�"),
+        ("�", "�"),
+        ("�", "�"),
+        # Handles negative unicode points
+        ("&#-1;", "&#-1;"),
+        ("&#x-1;", "&#x-1;"),
     ],
 )
 def test_convert_entities(data, expected):