- Debian's backport of RH's patch, fixes CAN-2004-0110

Changed files:
    libxml-urlbound.patch -> 1.1

diff --git a/libxml-urlbound.patch b/libxml-urlbound.patch
new file mode 100644 (file)
index 0000000..2665033
--- /dev/null
+++ b/libxml-urlbound.patch
@@ -0,0 +1,128 @@
+--- libxml-1.8.17.orig/nanoftp.c
++++ libxml-1.8.17/nanoftp.c
+@@ -65,6 +65,8 @@
+ #define FTP_GET_PASSWD                331
+ #define FTP_BUF_SIZE          512
+ 
++#define XML_NANO_MAX_URLBUF   4096
++
+ typedef struct xmlNanoFTPCtxt {
+     char *protocol;   /* the protocol name */
+     char *hostname;   /* the host name */
+@@ -203,7 +205,7 @@
+ xmlNanoFTPScanURL(void *ctx, const char *URL) {
+     xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx;
+     const char *cur = URL;
+-    char buf[4096];
++    char buf[XML_NANO_MAX_URLBUF];
+     int index = 0;
+     int port = 0;
+ 
+@@ -221,7 +223,7 @@
+     }
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF - 1)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+           buf[index] = 0;
+           ctxt->protocol = xmlMemStrdup(buf);
+@@ -263,7 +265,7 @@
+     else {
+         index = 0;
+         buf[index] = 0;
+-      while (*cur != 0)
++      while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1))
+           buf[index++] = *cur++;
+       buf[index] = 0;
+       ctxt->path = xmlMemStrdup(buf);
+@@ -288,7 +290,7 @@
+ xmlNanoFTPUpdateURL(void *ctx, const char *URL) {
+     xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx;
+     const char *cur = URL;
+-    char buf[4096];
++    char buf[XML_NANO_MAX_URLBUF];
+     int index = 0;
+     int port = 0;
+ 
+@@ -301,7 +303,7 @@
+     if (ctxt->hostname == NULL)
+       return(-1);
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+           buf[index] = 0;
+           if (strcmp(ctxt->protocol, buf))
+@@ -353,7 +355,7 @@
+     else {
+         index = 0;
+         buf[index] = 0;
+-      while (*cur != 0)
++      while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1))
+           buf[index++] = *cur++;
+       buf[index] = 0;
+       ctxt->path = xmlMemStrdup(buf);
+@@ -374,7 +376,7 @@
+ void
+ xmlNanoFTPScanProxy(const char *URL) {
+     const char *cur = URL;
+-    char buf[4096];
++    char buf[XML_NANO_MAX_URLBUF];
+     int index = 0;
+     int port = 0;
+ 
+@@ -393,7 +395,7 @@
+ #endif
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+           buf[index] = 0;
+           index = 0;
+--- libxml-1.8.17.orig/nanohttp.c
++++ libxml-1.8.17/nanohttp.c
+@@ -161,6 +161,7 @@
+     const char *cur = URL;
+     char buf[4096];
+     int index = 0;
++    const int indexMax = 4096 - 1;
+     int port = 0;
+ 
+     if (ctxt->protocol != NULL) { 
+@@ -177,7 +178,7 @@
+     }
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < indexMax)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+           buf[index] = 0;
+           ctxt->protocol = xmlMemStrdup(buf);
+@@ -219,7 +220,7 @@
+     else {
+         index = 0;
+         buf[index] = 0;
+-      while (*cur != 0)
++      while ((*cur != 0) && (index < indexMax))
+           buf[index++] = *cur++;
+       buf[index] = 0;
+       ctxt->path = xmlMemStrdup(buf);
+@@ -241,6 +242,7 @@
+     const char *cur = URL;
+     char buf[4096];
+     int index = 0;
++    const int indexMax = 4096 - 1;
+     int port = 0;
+ 
+     if (proxy != NULL) { 
+@@ -258,7 +260,7 @@
+ #endif
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < indexMax)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+           buf[index] = 0;
+           index = 0;