shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-27 18:50:07 +03:00
Code

replaced sprintf() with snprintf() to prevent possible buffer overflow

Browse Source 
* DOCBparser.c HTMLparser.c debugXML.c encoding.c
nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c
xmllint.c xpath.c: replaced sprintf() with snprintf()
to prevent possible buffer overflow (the bug was pointed
out by Anju Premachandran)
This commit is contained in:
Aleksey Sanin 2002-06-14 17:07:10 +00:00
parent e059b891ef
commit 49cc97565f
13 changed files with 72 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
2002-06-14 Aleksey Sanin <set EMAIL_ADDRESS environment variable>
* DOCBparser.c HTMLparser.c debugXML.c encoding.c
nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c
xmllint.c xpath.c: replaced sprintf() with snprintf()
to prevent possible buffer overflow (the bug was pointed
out by Anju Premachandran)
Thu Jun 13 17:30:25 CEST 2002 Daniel Veillard <daniel@veillard.com>
* parser.c: removed an uninitialized data error popped by valgrind

2
DOCBparser.c
View File

@ -2298,7 +2298,7 @@ docbEncodeEntities(unsigned char* out, int *outlen,
*/
ent = docbEntityValueLookup(c);
if (ent == NULL) {
sprintf(nbuf, "#%u", c);
snprintf(nbuf, sizeof(nbuf), "#%u", c);
cp = nbuf;
}
else

2
HTMLparser.c
View File

@ -1572,7 +1572,7 @@ htmlEncodeEntities(unsigned char* out, int *outlen,
*/
ent = htmlEntityValueLookup(c);
if (ent == NULL) {
sprintf(nbuf, "#%u", c);
snprintf(nbuf, sizeof(nbuf), "#%u", c);
cp = nbuf;
}
else

4
debugXML.c
View File

@ -1980,11 +1980,11 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
#endif /* LIBXML_XPATH_ENABLED */
while (1) {
if (ctxt->node == (xmlNodePtr) ctxt->doc)
sprintf(prompt, "%s > ", "/");
snprintf(prompt, sizeof(prompt), "%s > ", "/");
else if (ctxt->node->name)
snprintf(prompt, sizeof(prompt), "%s > ", ctxt->node->name);
else
sprintf(prompt, "? > ");
snprintf(prompt, sizeof(prompt), "? > ");
prompt[sizeof(prompt) - 1] = 0;
/*

2
encoding.c
View File

@ -2270,7 +2270,7 @@ retry:
* and continue the transcoding phase, hoping the error
* did not mangle the encoder state.
*/
sprintf((char *) charref, "&#%d;", cur);
snprintf((char *) charref, sizeof(charref), "&#%d;", cur);
xmlBufferShrink(in, len);
xmlBufferAddHead(in, charref, -1);

10
nanoftp.c
View File

@ -780,7 +780,7 @@ xmlNanoFTPSendUser(void *ctx) {
int res;
if (ctxt->user == NULL)
sprintf(buf, "USER anonymous\r\n");
snprintf(buf, sizeof(buf), "USER anonymous\r\n");
else
snprintf(buf, sizeof(buf), "USER %s\r\n", ctxt->user);
buf[sizeof(buf) - 1] = 0;
@ -835,7 +835,7 @@ xmlNanoFTPQuit(void *ctx) {
int len;
int res;
sprintf(buf, "QUIT\r\n");
snprintf(buf, sizeof(buf), "QUIT\r\n");
len = strlen(buf);
#ifdef DEBUG_FTP
xmlGenericError(xmlGenericErrorContext, "%s", buf); /* Just to be consistent, even though we know it can't have a % in it */
@ -1257,7 +1257,7 @@ xmlNanoFTPGetConnection(void *ctx) {
dataAddr.sin_family = AF_INET;
if (ctxt->passive) {
sprintf(buf, "PASV\r\n");
snprintf(buf, sizeof(buf), "PASV\r\n");
len = strlen(buf);
#ifdef DEBUG_FTP
xmlGenericError(xmlGenericErrorContext, "%s", buf);
@ -1546,7 +1546,7 @@ xmlNanoFTPList(void *ctx, ftpListCallback callback, void *userData,
ctxt->dataFd = xmlNanoFTPGetConnection(ctxt);
if (ctxt->dataFd == -1)
return(-1);
sprintf(buf, "LIST -L\r\n");
snprintf(buf, sizeof(buf), "LIST -L\r\n");
} else {
if (filename[0] != '/') {
if (xmlNanoFTPCwd(ctxt, ctxt->path) < 1)
@ -1651,7 +1651,7 @@ xmlNanoFTPGetSocket(void *ctx, const char *filename) {
if (ctxt->dataFd == -1)
return(-1);
sprintf(buf, "TYPE I\r\n");
snprintf(buf, sizeof(buf), "TYPE I\r\n");
len = strlen(buf);
#ifdef DEBUG_FTP
xmlGenericError(xmlGenericErrorContext, "%s", buf);

20
nanohttp.c
View File

@ -1137,28 +1137,30 @@ retry:
if (proxy) {
if (ctxt->port != 80) {
p += sprintf( p, "%s http://%s:%d%s", method, ctxt->hostname,
p += snprintf( p, blen - (p - bp), "%s http://%s:%d%s",
method, ctxt->hostname,
ctxt->port, ctxt->path );
}
else
p += sprintf( p, "%s http://%s%s", method,
else
p += snprintf( p, blen - (p - bp), "%s http://%s%s", method,
ctxt->hostname, ctxt->path);
}
else
p += sprintf( p, "%s %s", method, ctxt->path);
p += snprintf( p, blen - (p - bp), "%s %s", method, ctxt->path);
p += sprintf(p, " HTTP/1.0\r\nHost: %s\r\n", ctxt->hostname);
p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s\r\n",
ctxt->hostname);
if (contentType != NULL && *contentType)
p += sprintf(p, "Content-Type: %s\r\n", *contentType);
p += snprintf(p, blen - (p - bp), "Content-Type: %s\r\n", *contentType);
if (headers != NULL)
p += sprintf( p, "%s", headers );
p += snprintf( p, blen - (p - bp), "%s", headers );
if (input != NULL)
sprintf(p, "Content-Length: %d\r\n\r\n", ilen );
snprintf(p, blen - (p - bp), "Content-Length: %d\r\n\r\n", ilen );
else
strcpy(p, "\r\n");
snprintf(p, blen - (p - bp), "\r\n");
#ifdef DEBUG_HTTP
xmlGenericError(xmlGenericErrorContext,

4
parser.c
View File

@ -5348,9 +5348,9 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
ctxt->sax->characters(ctxt->userData, out, 1);
} else {
if ((hex == 'x') || (hex == 'X'))
sprintf((char *)out, "#x%X", value);
snprintf((char *)out, sizeof(out), "#x%X", value);
else
sprintf((char *)out, "#%d", value);
snprintf((char *)out, sizeof(out), "#%d", value);
if ((ctxt->sax != NULL) && (ctxt->sax->reference != NULL) &&
(!ctxt->disableSAX))
ctxt->sax->reference(ctxt->userData, out);

8
tree.c
View File

@ -4599,17 +4599,17 @@ xmlNewReconciliedNs(xmlDocPtr doc, xmlNodePtr tree, xmlNsPtr ns) {
* Let's strip namespace prefixes longer than 20 chars !
*/
if (ns->prefix == NULL)
sprintf((char *) prefix, "default");
snprintf((char *) prefix, sizeof(prefix), "default");
else
sprintf((char *) prefix, "%.20s", ns->prefix);
snprintf((char *) prefix, sizeof(prefix), "%.20s", ns->prefix);
def = xmlSearchNs(doc, tree, prefix);
while (def != NULL) {
if (counter > 1000) return(NULL);
if (ns->prefix == NULL)
sprintf((char *) prefix, "default%d", counter++);
snprintf((char *) prefix, sizeof(prefix), "default%d", counter++);
else
sprintf((char *) prefix, "%.20s%d", ns->prefix, counter++);
snprintf((char *) prefix, sizeof(prefix), "%.20s%d", ns->prefix, counter++);
def = xmlSearchNs(doc, tree, prefix);
}

2
uri.c
View File

@ -372,7 +372,7 @@ xmlSaveUri(xmlURIPtr uri) {
return(NULL);
}
}
len += sprintf((char *) &ret[len], ":%d", uri->port);
len += snprintf((char *) &ret[len], max - len, ":%d", uri->port);
}
} else if (uri->authority != NULL) {
if (len + 3 >= max) {

10
xmlIO.c
View File

@ -492,7 +492,7 @@ xmlGzfileOpenW (const char *filename, int compression) {
char mode[15];
gzFile fd;
sprintf(mode, "wb%d", compression);
snprintf(mode, sizeof(mode), "wb%d", compression);
if (!strcmp(filename, "-")) {
fd = gzdopen(dup(1), mode);
return((void *) fd);
@ -714,9 +714,9 @@ xmlCreateZMemBuff( int compression ) {
}
/* Set the header data. The CRC will be needed for the trailer */
buff->crc = crc32( 0L, Z_NULL, 0 );
hdr_lgth = sprintf( (char *)buff->zbuff, "%c%c%c%c%c%c%c%c%c%c",
hdr_lgth = snprintf( (char *)buff->zbuff, buff->size,
"%c%c%c%c%c%c%c%c%c%c",
GZ_MAGIC1, GZ_MAGIC2, Z_DEFLATED,
0, 0, 0, 0, 0, 0, LXML_ZLIB_OS_CODE );
buff->zctrl.next_out = buff->zbuff + hdr_lgth;
@ -1182,7 +1182,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) {
dump_name = tempnam( NULL, "lxml" );
if ( dump_name != NULL ) {
(void)sprintf( buffer, "%s.content", dump_name );
(void)snprintf( buffer, sizeof(buffer), "%s.content", dump_name );
tst_file = fopen( buffer, "w" );
if ( tst_file != NULL ) {
@ -1194,7 +1194,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) {
fclose( tst_file );
}
(void)sprintf( buffer, "%s.reply", dump_name );
(void)snprintf( buffer, sizeof(buffer), "%s.reply", dump_name );
tst_file = fopen( buffer, "w" );
if ( tst_file != NULL ) {
xmlGenericError( xmlGenericErrorContext,

37
xmllint.c
View File

@ -285,13 +285,16 @@ xmlHTMLEncodeSend(void) {
static void
xmlHTMLPrintFileInfo(xmlParserInputPtr input) {
int len;
xmlGenericError(xmlGenericErrorContext, "<p>");
len = strlen(buffer);
if (input != NULL) {
if (input->filename) {
sprintf(&buffer[strlen(buffer)], "%s:%d: ", input->filename,
snprintf(&buffer[len], sizeof(buffer) - len, "%s:%d: ", input->filename,
input->line);
} else {
sprintf(&buffer[strlen(buffer)], "Entity: line %d: ", input->line);
snprintf(&buffer[len], sizeof(buffer) - len, "Entity: line %d: ", input->line);
}
}
xmlHTMLEncodeSend();
@ -307,6 +310,7 @@ xmlHTMLPrintFileInfo(xmlParserInputPtr input) {
static void
xmlHTMLPrintFileContext(xmlParserInputPtr input) {
const xmlChar *cur, *base;
int len;
int n;
if (input == NULL) return;
@ -323,19 +327,24 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) {
base = cur;
n = 0;
while ((*cur != 0) && (*cur != '\n') && (*cur != '\r') && (n < 79)) {
sprintf(&buffer[strlen(buffer)], "%c", (unsigned char) *cur++);
len = strlen(buffer);
snprintf(&buffer[len], sizeof(buffer) - len, "%c",
(unsigned char) *cur++);
n++;
}
sprintf(&buffer[strlen(buffer)], "\n");
len = strlen(buffer);
snprintf(&buffer[len], sizeof(buffer) - len, "\n");
cur = input->cur;
while ((*cur == '\n') || (*cur == '\r'))
cur--;
n = 0;
while ((cur != base) && (n++ < 80)) {
sprintf(&buffer[strlen(buffer)], " ");
len = strlen(buffer);
snprintf(&buffer[len], sizeof(buffer) - len, " ");
base++;
}
sprintf(&buffer[strlen(buffer)],"^\n");
len = strlen(buffer);
snprintf(&buffer[len], sizeof(buffer) - len, "^\n");
xmlHTMLEncodeSend();
xmlGenericError(xmlGenericErrorContext, "</pre>");
}
@ -356,6 +365,7 @@ xmlHTMLError(void *ctx, const char *msg, ...)
xmlParserInputPtr input;
xmlParserInputPtr cur = NULL;
va_list args;
int len;
buffer[0] = 0;
input = ctxt->input;
@ -368,7 +378,8 @@ xmlHTMLError(void *ctx, const char *msg, ...)
xmlGenericError(xmlGenericErrorContext, "<b>error</b>: ");
va_start(args, msg);
vsprintf(&buffer[strlen(buffer)], msg, args);
len = strlen(buffer);
vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args);
va_end(args);
xmlHTMLEncodeSend();
xmlGenericError(xmlGenericErrorContext, "</p>\n");
@ -393,6 +404,7 @@ xmlHTMLWarning(void *ctx, const char *msg, ...)
xmlParserInputPtr input;
xmlParserInputPtr cur = NULL;
va_list args;
int len;
buffer[0] = 0;
input = ctxt->input;
@ -406,7 +418,8 @@ xmlHTMLWarning(void *ctx, const char *msg, ...)
xmlGenericError(xmlGenericErrorContext, "<b>warning</b>: ");
va_start(args, msg);
vsprintf(&buffer[strlen(buffer)], msg, args);
len = strlen(buffer);
vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args);
va_end(args);
xmlHTMLEncodeSend();
xmlGenericError(xmlGenericErrorContext, "</p>\n");
@ -430,6 +443,7 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...)
xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
xmlParserInputPtr input;
va_list args;
int len;
buffer[0] = 0;
input = ctxt->input;
@ -439,8 +453,9 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...)
xmlHTMLPrintFileInfo(input);
xmlGenericError(xmlGenericErrorContext, "<b>validity error</b>: ");
len = strlen(buffer);
va_start(args, msg);
vsprintf(&buffer[strlen(buffer)], msg, args);
vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args);
va_end(args);
xmlHTMLEncodeSend();
xmlGenericError(xmlGenericErrorContext, "</p>\n");
@ -464,6 +479,7 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
xmlParserInputPtr input;
va_list args;
int len;
buffer[0] = 0;
input = ctxt->input;
@ -474,7 +490,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
xmlGenericError(xmlGenericErrorContext, "<b>validity warning</b>: ");
va_start(args, msg);
vsprintf(&buffer[strlen(buffer)], msg, args);
len = strlen(buffer);
vsnprintf(&buffer[len], sizeof(buffer) - len, msg, args);
va_end(args);
xmlHTMLEncodeSend();
xmlGenericError(xmlGenericErrorContext, "</p>\n");

8
xpath.c
View File

@ -1135,18 +1135,18 @@ xmlXPathFormatNumber(double number, char buffer[], int buffersize)
switch (xmlXPathIsInf(number)) {
case 1:
if (buffersize > (int)sizeof("Infinity"))
sprintf(buffer, "Infinity");
snprintf(buffer, buffersize, "Infinity");
break;
case -1:
if (buffersize > (int)sizeof("-Infinity"))
sprintf(buffer, "-Infinity");
snprintf(buffer, buffersize, "-Infinity");
break;
default:
if (xmlXPathIsNaN(number)) {
if (buffersize > (int)sizeof("NaN"))
sprintf(buffer, "NaN");
snprintf(buffer, buffersize, "NaN");
} else if (number == 0 && xmlXPathGetSign(number) != 0) {
sprintf(buffer, "0");
snprintf(buffer, buffersize, "0");
} else if (number == ((int) number)) {
char work[30];
char *ptr, *cur;