diff options
| author | Aleksey Sanin <aleksey@src.gnome.org> | 2002-06-14 17:07:10 +0000 |
|---|---|---|
| committer | Aleksey Sanin <aleksey@src.gnome.org> | 2002-06-14 17:07:10 +0000 |
| commit | 49cc97565fbe2928388a1e437c44429097a504ae (patch) | |
| tree | e96c37456485dd61090411351595f4fb820c73b0 | |
| parent | e059b891efee0c1834c8a02358eb57cca6587177 (diff) | |
| download | libxml2-49cc97565fbe2928388a1e437c44429097a504ae.tar.gz | |
replaced sprintf() with snprintf() to prevent possible buffer overflow
* DOCBparser.c HTMLparser.c debugXML.c encoding.c
nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c
xmllint.c xpath.c: replaced sprintf() with snprintf()
to prevent possible buffer overflow (the bug was pointed
out by Anju Premachandran)
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | DOCBparser.c | 2 | ||||
| -rw-r--r-- | HTMLparser.c | 2 | ||||
| -rw-r--r-- | debugXML.c | 4 | ||||
| -rw-r--r-- | encoding.c | 2 | ||||
| -rw-r--r-- | nanoftp.c | 10 | ||||
| -rw-r--r-- | nanohttp.c | 20 | ||||
| -rw-r--r-- | parser.c | 4 | ||||
| -rw-r--r-- | tree.c | 8 | ||||
| -rw-r--r-- | uri.c | 2 | ||||
| -rw-r--r-- | xmlIO.c | 10 | ||||
| -rw-r--r-- | xmllint.c | 37 | ||||
| -rw-r--r-- | xpath.c | 8 |
13 files changed, 72 insertions, 45 deletions
@@ -1,3 +1,11 @@ +2002-06-14 Aleksey Sanin <set EMAIL_ADDRESS environment variable> + + * DOCBparser.c HTMLparser.c debugXML.c encoding.c + nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c + xmllint.c xpath.c: replaced sprintf() with snprintf() + to prevent possible buffer overflow (the bug was pointed + out by Anju Premachandran) + Thu Jun 13 17:30:25 CEST 2002 Daniel Veillard <daniel@veillard.com> * parser.c: removed an uninitialized data error popped by valgrind diff --git a/DOCBparser.c b/DOCBparser.c index 3670c5af..1cb0ebf1 100644 --- a/DOCBparser.c +++ b/DOCBparser.c @@ -2298,7 +2298,7 @@ docbEncodeEntities(unsigned char* out, int *outlen, */ ent = docbEntityValueLookup(c); if (ent == NULL) { - sprintf(nbuf, "#%u", c); + snprintf(nbuf, sizeof(nbuf), "#%u", c); cp = nbuf; } else diff --git a/HTMLparser.c b/HTMLparser.c index 82202aa7..4a24d687 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -1572,7 +1572,7 @@ htmlEncodeEntities(unsigned char* out, int *outlen, */ ent = htmlEntityValueLookup(c); if (ent == NULL) { - sprintf(nbuf, "#%u", c); + snprintf(nbuf, sizeof(nbuf), "#%u", c); cp = nbuf; } else @@ -1980,11 +1980,11 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, #endif /* LIBXML_XPATH_ENABLED */ while (1) { if (ctxt->node == (xmlNodePtr) ctxt->doc) - sprintf(prompt, "%s > ", "/"); + snprintf(prompt, sizeof(prompt), "%s > ", "/"); else if (ctxt->node->name) snprintf(prompt, sizeof(prompt), "%s > ", ctxt->node->name); else - sprintf(prompt, "? > "); + snprintf(prompt, sizeof(prompt), "? > "); prompt[sizeof(prompt) - 1] = 0; /* @@ -2270,7 +2270,7 @@ retry: * and continue the transcoding phase, hoping the error * did not mangle the encoder state. */ - sprintf((char *) charref, "&#%d;", cur); + snprintf((char *) charref, sizeof(charref), "&#%d;", cur); xmlBufferShrink(in, len); xmlBufferAddHead(in, charref, -1); @@ -780,7 +780,7 @@ xmlNanoFTPSendUser(void *ctx) { int res; if (ctxt->user == NULL) - sprintf(buf, "USER anonymous\r\n"); + snprintf(buf, sizeof(buf), "USER anonymous\r\n"); else snprintf(buf, sizeof(buf), "USER %s\r\n", ctxt->user); buf[sizeof(buf) - 1] = 0; @@ -835,7 +835,7 @@ xmlNanoFTPQuit(void *ctx) { int len; int res; - sprintf(buf, "QUIT\r\n"); + snprintf(buf, sizeof(buf), "QUIT\r\n"); len = strlen(buf); #ifdef DEBUG_FTP xmlGenericError(xmlGenericErrorContext, "%s", buf); /* Just to be consistent, even though we know it can't have a % in it */ @@ -1257,7 +1257,7 @@ xmlNanoFTPGetConnection(void *ctx) { dataAddr.sin_family = AF_INET; if (ctxt->passive) { - sprintf(buf, "PASV\r\n"); + snprintf(buf, sizeof(buf), "PASV\r\n"); len = strlen(buf); #ifdef DEBUG_FTP xmlGenericError(xmlGenericErrorContext, "%s", buf); @@ -1546,7 +1546,7 @@ xmlNanoFTPList(void *ctx, ftpListCallback callback, void *userData, ctxt->dataFd = xmlNanoFTPGetConnection(ctxt); if (ctxt->dataFd == -1) return(-1); - sprintf(buf, "LIST -L\r\n"); + snprintf(buf, sizeof(buf), "LIST -L\r\n"); } else { if (filename[0] != '/') { if (xmlNanoFTPCwd(ctxt, ctxt->path) < 1) @@ -1651,7 +1651,7 @@ xmlNanoFTPGetSocket(void *ctx, const char *filename) { if (ctxt->dataFd == -1) return(-1); - sprintf(buf, "TYPE I\r\n"); + snprintf(buf, sizeof(buf), "TYPE I\r\n"); len = strlen(buf); #ifdef DEBUG_FTP xmlGenericError(xmlGenericErrorContext, "%s", buf); @@ -1137,28 +1137,30 @@ retry: if (proxy) { if (ctxt->port != 80) { - p += sprintf( p, "%s http://%s:%d%s", method, ctxt->hostname, + p += snprintf( p, blen - (p - bp), "%s http://%s:%d%s", + method, ctxt->hostname, ctxt->port, ctxt->path ); } - else - p += sprintf( p, "%s http://%s%s", method, + else + p += snprintf( p, blen - (p - bp), "%s http://%s%s", method, ctxt->hostname, ctxt->path); } else - p += sprintf( p, "%s %s", method, ctxt->path); + p += snprintf( p, blen - (p - bp), "%s %s", method, ctxt->path); - p += sprintf(p, " HTTP/1.0\r\nHost: %s\r\n", ctxt->hostname); + p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s\r\n", + ctxt->hostname); if (contentType != NULL && *contentType) - p += sprintf(p, "Content-Type: %s\r\n", *contentType); + p += snprintf(p, blen - (p - bp), "Content-Type: %s\r\n", *contentType); if (headers != NULL) - p += sprintf( p, "%s", headers ); + p += snprintf( p, blen - (p - bp), "%s", headers ); if (input != NULL) - sprintf(p, "Content-Length: %d\r\n\r\n", ilen ); + snprintf(p, blen - (p - bp), "Content-Length: %d\r\n\r\n", ilen ); else - strcpy(p, "\r\n"); + snprintf(p, blen - (p - bp), "\r\n"); #ifdef DEBUG_HTTP xmlGenericError(xmlGenericErrorContext, @@ -5348,9 +5348,9 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { ctxt->sax->characters(ctxt->userData, out, 1); } else { if ((hex == 'x') || (hex == 'X')) - sprintf((char *)out, "#x%X", value); + snprintf((char *)out, sizeof(out), "#x%X", value); else - sprintf((char *)out, "#%d", value); + snprintf((char *)out, sizeof(out), "#%d", value); if ((ctxt->sax != NULL) && (ctxt->sax->reference != NULL) && (!ctxt->disableSAX)) ctxt->sax->reference(ctxt->userData, out); @@ -4599,17 +4599,17 @@ xmlNewReconciliedNs(xmlDocPtr doc, xmlNodePtr tree, xmlNsPtr ns) { * Let's strip namespace prefixes longer than 20 chars ! */ if (ns->prefix == NULL) - sprintf((char *) prefix, "default"); + snprintf((char *) prefix, sizeof(prefix), "default"); else - sprintf((char *) prefix, "%.20s", ns->prefix); + snprintf((char *) prefix, sizeof(prefix), "%.20s", ns->prefix); def = xmlSearchNs(doc, tree, prefix); while (def != NULL) { if (counter > 1000) return(NULL); if (ns->prefix == NULL) - sprintf((char *) prefix, "default%d", counter++); + snprintf((char *) prefix, sizeof(prefix), "default%d", counter++); else - sprintf((char *) prefix, "%.20s%d", ns->prefix, counter++); + snprintf((char *) prefix, sizeof(prefix), "%.20s%d", ns->prefix, counter++); def = xmlSearchNs(doc, tree, prefix); } @@ -372,7 +372,7 @@ xmlSaveUri(xmlURIPtr uri) { return(NULL); } } - len += sprintf((char *) &ret[len], ":%d", uri->port); + len += snprintf((char *) &ret[len], max - len, ":%d", uri->port); } } else if (uri->authority != NULL) { if (len + 3 >= max) { @@ -492,7 +492,7 @@ xmlGzfileOpenW (const char *filename, int compression) { char mode[15]; gzFile fd; - sprintf(mode, "wb%d", compression); + snprintf(mode, sizeof(mode), "wb%d", compression); if (!strcmp(filename, "-")) { fd = gzdopen(dup(1), mode); return((void *) fd); @@ -714,9 +714,9 @@ xmlCreateZMemBuff( int compression ) { } /* Set the header data. The CRC will be needed for the trailer */ - buff->crc = crc32( 0L, Z_NULL, 0 ); - hdr_lgth = sprintf( (char *)buff->zbuff, "%c%c%c%c%c%c%c%c%c%c", + hdr_lgth = snprintf( (char *)buff->zbuff, buff->size, + "%c%c%c%c%c%c%c%c%c%c", GZ_MAGIC1, GZ_MAGIC2, Z_DEFLATED, 0, 0, 0, 0, 0, 0, LXML_ZLIB_OS_CODE ); buff->zctrl.next_out = buff->zbuff + hdr_lgth; @@ -1182,7 +1182,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) { dump_name = tempnam( NULL, "lxml" ); if ( dump_name != NULL ) { - (void)sprintf( buffer, "%s.content", dump_name ); + (void)snprintf( buffer, sizeof(buffer), "%s.content", dump_name ); tst_file = fopen( buffer, "w" ); if ( tst_file != NULL ) { @@ -1194,7 +1194,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) { fclose( tst_file ); } - (void)sprintf( buffer, "%s.reply", dump_name ); + (void)snprintf( buffer, sizeof(buffer), "%s.reply", dump_name ); tst_file = fopen( buffer, "w" ); if ( tst_file != NULL ) { xmlGenericError( xmlGenericErrorContext, @@ -285,13 +285,16 @@ xmlHTMLEncodeSend(void) { static void xmlHTMLPrintFileInfo(xmlParserInputPtr input) { + int len; xmlGenericError(xmlGenericErrorContext, "<p>"); + + len = strlen(buffer); if (input != NULL) { if (input->filename) { - sprintf(&buffer[strlen(buffer)], "%s:%d: ", input->filename, + snprintf(&buffer[len], sizeof(buffer) - len, "%s:%d: ", input->filename, input->line); } else { - sprintf(&buffer[strlen(buffer)], "Entity: line %d: ", input->line); + snprintf(&buffer[len], sizeof(buffer) - len, "Entity: line %d: ", input->line); } } xmlHTMLEncodeSend(); @@ -307,6 +310,7 @@ xmlHTMLPrintFileInfo(xmlParserInputPtr input) { static void xmlHTMLPrintFileContext(xmlParserInputPtr input) { const xmlChar *cur, *base; + int len; int n; if (input == NULL) return; @@ -323,19 +327,24 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { base = cur; n = 0; while ((*cur != 0) && (*cur != '\n') && (*cur != '\r') && (n < 79)) { - sprintf(&buffer[strlen(buffer)], "%c", (unsigned char) *cur++); + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, "%c", + (unsigned char) *cur++); n++; } - sprintf(&buffer[strlen(buffer)], "\n"); + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, "\n"); cur = input->cur; while ((*cur == '\n') || (*cur == '\r')) cur--; n = 0; while ((cur != base) && (n++ < 80)) { - sprintf(&buffer[strlen(buffer)], " "); + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, " "); base++; } - sprintf(&buffer[strlen(buffer)],"^\n"); + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, "^\n"); xmlHTMLEncodeSend(); xmlGenericError(xmlGenericErrorContext, "</pre>"); } @@ -356,6 +365,7 @@ xmlHTMLError(void *ctx, const char *msg, ...) xmlParserInputPtr input; xmlParserInputPtr cur = NULL; va_list args; + int len; buffer[0] = 0; input = ctxt->input; @@ -368,7 +378,8 @@ xmlHTMLError(void *ctx, const char *msg, ...) xmlGenericError(xmlGenericErrorContext, "<b>error</b>: "); va_start(args, msg); - vsprintf(&buffer[strlen(buffer)], msg, args); + len = strlen(buffer); + vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args); va_end(args); xmlHTMLEncodeSend(); xmlGenericError(xmlGenericErrorContext, "</p>\n"); @@ -393,6 +404,7 @@ xmlHTMLWarning(void *ctx, const char *msg, ...) xmlParserInputPtr input; xmlParserInputPtr cur = NULL; va_list args; + int len; buffer[0] = 0; input = ctxt->input; @@ -406,7 +418,8 @@ xmlHTMLWarning(void *ctx, const char *msg, ...) xmlGenericError(xmlGenericErrorContext, "<b>warning</b>: "); va_start(args, msg); - vsprintf(&buffer[strlen(buffer)], msg, args); + len = strlen(buffer); + vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args); va_end(args); xmlHTMLEncodeSend(); xmlGenericError(xmlGenericErrorContext, "</p>\n"); @@ -430,6 +443,7 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...) xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; xmlParserInputPtr input; va_list args; + int len; buffer[0] = 0; input = ctxt->input; @@ -439,8 +453,9 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...) xmlHTMLPrintFileInfo(input); xmlGenericError(xmlGenericErrorContext, "<b>validity error</b>: "); + len = strlen(buffer); va_start(args, msg); - vsprintf(&buffer[strlen(buffer)], msg, args); + vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args); va_end(args); xmlHTMLEncodeSend(); xmlGenericError(xmlGenericErrorContext, "</p>\n"); @@ -464,6 +479,7 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...) xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; xmlParserInputPtr input; va_list args; + int len; buffer[0] = 0; input = ctxt->input; @@ -474,7 +490,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...) xmlGenericError(xmlGenericErrorContext, "<b>validity warning</b>: "); va_start(args, msg); - vsprintf(&buffer[strlen(buffer)], msg, args); + len = strlen(buffer); + vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args); va_end(args); xmlHTMLEncodeSend(); xmlGenericError(xmlGenericErrorContext, "</p>\n"); @@ -1135,18 +1135,18 @@ xmlXPathFormatNumber(double number, char buffer[], int buffersize) switch (xmlXPathIsInf(number)) { case 1: if (buffersize > (int)sizeof("Infinity")) - sprintf(buffer, "Infinity"); + snprintf(buffer, buffersize, "Infinity"); break; case -1: if (buffersize > (int)sizeof("-Infinity")) - sprintf(buffer, "-Infinity"); + snprintf(buffer, buffersize, "-Infinity"); break; default: if (xmlXPathIsNaN(number)) { if (buffersize > (int)sizeof("NaN")) - sprintf(buffer, "NaN"); + snprintf(buffer, buffersize, "NaN"); } else if (number == 0 && xmlXPathGetSign(number) != 0) { - sprintf(buffer, "0"); + snprintf(buffer, buffersize, "0"); } else if (number == ((int) number)) { char work[30]; char *ptr, *cur; |