[xml/sgml-commit] r304 - in packages/libxml/trunk: . debian
Mike Hommey
glandium-guest@haydn.debian.org
Thu, 28 Oct 2004 02:51:40 -0600
Author: glandium-guest
Date: 2004-10-28 02:51:23 -0600 (Thu, 28 Oct 2004)
New Revision: 304
Modified:
packages/libxml/trunk/debian/changelog
packages/libxml/trunk/nanoftp.c
Log:
Fix Buffer Overflow [CAN-2004-0989]
Modified: packages/libxml/trunk/debian/changelog
===================================================================
--- packages/libxml/trunk/debian/changelog 2004-10-28 08:38:43 UTC (rev 303)
+++ packages/libxml/trunk/debian/changelog 2004-10-28 08:51:23 UTC (rev 304)
@@ -1,3 +1,10 @@
+libxml (1:1.8.17-9) unstable; urgency=low
+
+ * Backport patch from libxml2-2.6.15 to fix buffer overflows [nanohttp.c,
+ nanoftp.c, CAN-2004-0989]
+
+ -- Mike Hommey <mh@glandium.org> Thu, 28 Oct 2004 17:50:04 +0900
+
libxml (1:1.8.17-8) unstable; urgency=low
* debian/control: changed deps on libz-dev to zlib1g-dev | libz-dev.
Modified: packages/libxml/trunk/nanoftp.c
===================================================================
--- packages/libxml/trunk/nanoftp.c 2004-10-28 08:38:43 UTC (rev 303)
+++ packages/libxml/trunk/nanoftp.c 2004-10-28 08:51:23 UTC (rev 304)
@@ -236,7 +236,7 @@
if (*cur == 0) return;
buf[index] = 0;
- while (1) {
+ while (index < XML_NANO_MAX_URLBUF - 1) {
if (cur[0] == ':') {
buf[index] = 0;
ctxt->hostname = xmlMemStrdup(buf);
@@ -830,6 +830,11 @@
if (hp == NULL)
return(-1);
+ if ((unsigned int) hp->h_length >
+ sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+ return (-1);
+ }
+
/*
* Prepare the socket
*/