--- libxml-1.8.17.orig/nanoftp.c +++ libxml-1.8.17/nanoftp.c @@ -65,6 +65,8 @@ #define FTP_GET_PASSWD 331 #define FTP_BUF_SIZE 512 +#define XML_NANO_MAX_URLBUF 4096 + typedef struct xmlNanoFTPCtxt { char *protocol; /* the protocol name */ char *hostname; /* the host name */ @@ -203,7 +205,7 @@ xmlNanoFTPScanURL(void *ctx, const char *URL) { xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx; const char *cur = URL; - char buf[4096]; + char buf[XML_NANO_MAX_URLBUF]; int index = 0; int port = 0; @@ -221,7 +223,7 @@ } if (URL == NULL) return; buf[index] = 0; - while (*cur != 0) { + while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF - 1)) { if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { buf[index] = 0; ctxt->protocol = xmlMemStrdup(buf); @@ -236,7 +236,7 @@ if (*cur == 0) return; buf[index] = 0; - while (1) { + while (index < (XML_NANO_MAX_URLBUF - 1)) { if (cur[0] == ':') { buf[index] = 0; ctxt->hostname = xmlMemStrdup(buf); @@ -263,7 +265,7 @@ else { index = 0; buf[index] = 0; - while (*cur != 0) + while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) buf[index++] = *cur++; buf[index] = 0; ctxt->path = xmlMemStrdup(buf); @@ -288,7 +290,7 @@ xmlNanoFTPUpdateURL(void *ctx, const char *URL) { xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx; const char *cur = URL; - char buf[4096]; + char buf[XML_NANO_MAX_URLBUF]; int index = 0; int port = 0; @@ -301,7 +303,7 @@ if (ctxt->hostname == NULL) return(-1); buf[index] = 0; - while (*cur != 0) { + while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) { if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { buf[index] = 0; if (strcmp(ctxt->protocol, buf)) @@ -318,7 +318,7 @@ return(-1); buf[index] = 0; - while (1) { + while (index < (XML_NANO_MAX_URLBUF - 1)) { if (cur[0] == ':') { buf[index] = 0; if (strcmp(ctxt->hostname, buf)) @@ -353,7 +355,7 @@ else { index = 0; buf[index] = 0; - while (*cur != 0) + while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) buf[index++] = *cur++; buf[index] = 0; ctxt->path = xmlMemStrdup(buf); @@ -374,7 +376,7 @@ void xmlNanoFTPScanProxy(const char *URL) { const char *cur = URL; - char buf[4096]; + char buf[XML_NANO_MAX_URLBUF]; int index = 0; int port = 0; @@ -393,7 +395,7 @@ #endif if (URL == NULL) return; buf[index] = 0; - while (*cur != 0) { + while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) { if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { buf[index] = 0; index = 0; @@ -407,7 +407,7 @@ if (*cur == 0) return; buf[index] = 0; - while (1) { + while (index < (XML_NANO_MAX_URLBUF - 1)) { if (cur[0] == ':') { buf[index] = 0; proxy = xmlMemStrdup(buf); --- libxml-1.8.17.orig/nanohttp.c +++ libxml-1.8.17/nanohttp.c @@ -161,6 +161,7 @@ const char *cur = URL; char buf[4096]; int index = 0; + const int indexMax = 4096 - 1; int port = 0; if (ctxt->protocol != NULL) { @@ -177,7 +178,7 @@ } if (URL == NULL) return; buf[index] = 0; - while (*cur != 0) { + while ((*cur != 0) && (index < indexMax)) { if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { buf[index] = 0; ctxt->protocol = xmlMemStrdup(buf); @@ -191,7 +191,7 @@ if (*cur == 0) return; buf[index] = 0; - while (1) { + while (index < indexMax) { if (cur[0] == ':') { buf[index] = 0; ctxt->hostname = xmlMemStrdup(buf); @@ -219,7 +220,7 @@ else { index = 0; buf[index] = 0; - while (*cur != 0) + while ((*cur != 0) && (index < indexMax)) buf[index++] = *cur++; buf[index] = 0; ctxt->path = xmlMemStrdup(buf); @@ -241,6 +242,7 @@ const char *cur = URL; char buf[4096]; int index = 0; + const int indexMax = 4096 - 1; int port = 0; if (proxy != NULL) { @@ -258,7 +260,7 @@ #endif if (URL == NULL) return; buf[index] = 0; - while (*cur != 0) { + while ((*cur != 0) && (index < indexMax)) { if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { buf[index] = 0; index = 0; @@ -272,7 +272,7 @@ if (*cur == 0) return; buf[index] = 0; - while (1) { + while (index < indexMax) { if (cur[0] == ':') { buf[index] = 0; proxy = xmlMemStrdup(buf);