Bugzilla – Attachment 27162 Details for
Bug 64362
VUL-0: CVE-2004-0989: libxml: missing patches
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
libxml_1.8.17-2-secfix.diff
libxml_1.8.17-2-secfix.diff (text/plain), 3.90 KB, created by
Thomas Biege
on 2004-12-17 19:33:44 UTC
(
hide
)
Description:
libxml_1.8.17-2-secfix.diff
Filename:
MIME Type:
Creator:
Thomas Biege
Created:
2004-12-17 19:33:44 UTC
Size:
3.90 KB
patch
obsolete
>--- libxml-1.8.17.orig/nanoftp.c >+++ libxml-1.8.17/nanoftp.c >@@ -65,6 +65,8 @@ > #define FTP_GET_PASSWD 331 > #define FTP_BUF_SIZE 512 > >+#define XML_NANO_MAX_URLBUF 4096 >+ > typedef struct xmlNanoFTPCtxt { > char *protocol; /* the protocol name */ > char *hostname; /* the host name */ >@@ -203,7 +205,7 @@ > xmlNanoFTPScanURL(void *ctx, const char *URL) { > xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx; > const char *cur = URL; >- char buf[4096]; >+ char buf[XML_NANO_MAX_URLBUF]; > int index = 0; > int port = 0; > >@@ -221,7 +223,7 @@ > } > if (URL == NULL) return; > buf[index] = 0; >- while (*cur != 0) { >+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF - 1)) { > if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { > buf[index] = 0; > ctxt->protocol = xmlMemStrdup(buf); >@@ -234,7 +236,7 @@ > if (*cur == 0) return; > > buf[index] = 0; >- while (1) { >+ while (index < XML_NANO_MAX_URLBUF - 1) { > if (cur[0] == ':') { > buf[index] = 0; > ctxt->hostname = xmlMemStrdup(buf); >@@ -263,7 +265,7 @@ > else { > index = 0; > buf[index] = 0; >- while (*cur != 0) >+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) > buf[index++] = *cur++; > buf[index] = 0; > ctxt->path = xmlMemStrdup(buf); >@@ -288,7 +290,7 @@ > xmlNanoFTPUpdateURL(void *ctx, const char *URL) { > xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx; > const char *cur = URL; >- char buf[4096]; >+ char buf[XML_NANO_MAX_URLBUF]; > int index = 0; > int port = 0; > >@@ -301,7 +303,7 @@ > if (ctxt->hostname == NULL) > return(-1); > buf[index] = 0; >- while (*cur != 0) { >+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) { > if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { > buf[index] = 0; > if (strcmp(ctxt->protocol, buf)) >@@ -353,7 +355,7 @@ > else { > index = 0; > buf[index] = 0; >- while (*cur != 0) >+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) > buf[index++] = *cur++; > buf[index] = 0; > ctxt->path = xmlMemStrdup(buf); >@@ -374,7 +376,7 @@ > void > xmlNanoFTPScanProxy(const char *URL) { > const char *cur = URL; >- char buf[4096]; >+ char buf[XML_NANO_MAX_URLBUF]; > int index = 0; > int port = 0; > >@@ -393,7 +395,7 @@ > #endif > if (URL == NULL) return; > buf[index] = 0; >- while (*cur != 0) { >+ while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) { > if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { > buf[index] = 0; > index = 0; >@@ -828,6 +830,11 @@ > if (hp == NULL) > return(-1); > >+ if ((unsigned int) hp->h_length > >+ sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) { >+ return (-1); >+ } >+ > /* > * Prepare the socket > */ >--- libxml-1.8.17.orig/nanohttp.c >+++ libxml-1.8.17/nanohttp.c >@@ -161,6 +161,7 @@ > const char *cur = URL; > char buf[4096]; > int index = 0; >+ const int indexMax = 4096 - 1; > int port = 0; > > if (ctxt->protocol != NULL) { >@@ -177,7 +178,7 @@ > } > if (URL == NULL) return; > buf[index] = 0; >- while (*cur != 0) { >+ while ((*cur != 0) && (index < indexMax)) { > if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { > buf[index] = 0; > ctxt->protocol = xmlMemStrdup(buf); >@@ -219,7 +220,7 @@ > else { > index = 0; > buf[index] = 0; >- while (*cur != 0) >+ while ((*cur != 0) && (index < indexMax)) > buf[index++] = *cur++; > buf[index] = 0; > ctxt->path = xmlMemStrdup(buf); >@@ -241,6 +242,7 @@ > const char *cur = URL; > char buf[4096]; > int index = 0; >+ const int indexMax = 4096 - 1; > int port = 0; > > if (proxy != NULL) { >@@ -258,7 +260,7 @@ > #endif > if (URL == NULL) return; > buf[index] = 0; >- while (*cur != 0) { >+ while ((*cur != 0) && (index < indexMax)) { > if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) { > buf[index] = 0; > index = 0;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=27162">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 64362
: 27162 |
27167
|
27168