replaced sprintf() with snprintf() to prevent possible buffer overflow
* DOCBparser.c HTMLparser.c debugXML.c encoding.c
nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c
xmllint.c xpath.c: replaced sprintf() with snprintf()
to prevent possible buffer overflow (the bug was pointed
out by Anju Premachandran)
diff --git a/nanoftp.c b/nanoftp.c
index 03d6888..dddec74 100644
--- a/nanoftp.c
+++ b/nanoftp.c
@@ -780,7 +780,7 @@
int res;
if (ctxt->user == NULL)
- sprintf(buf, "USER anonymous\r\n");
+ snprintf(buf, sizeof(buf), "USER anonymous\r\n");
else
snprintf(buf, sizeof(buf), "USER %s\r\n", ctxt->user);
buf[sizeof(buf) - 1] = 0;
@@ -835,7 +835,7 @@
int len;
int res;
- sprintf(buf, "QUIT\r\n");
+ snprintf(buf, sizeof(buf), "QUIT\r\n");
len = strlen(buf);
#ifdef DEBUG_FTP
xmlGenericError(xmlGenericErrorContext, "%s", buf); /* Just to be consistent, even though we know it can't have a % in it */
@@ -1257,7 +1257,7 @@
dataAddr.sin_family = AF_INET;
if (ctxt->passive) {
- sprintf(buf, "PASV\r\n");
+ snprintf(buf, sizeof(buf), "PASV\r\n");
len = strlen(buf);
#ifdef DEBUG_FTP
xmlGenericError(xmlGenericErrorContext, "%s", buf);
@@ -1546,7 +1546,7 @@
ctxt->dataFd = xmlNanoFTPGetConnection(ctxt);
if (ctxt->dataFd == -1)
return(-1);
- sprintf(buf, "LIST -L\r\n");
+ snprintf(buf, sizeof(buf), "LIST -L\r\n");
} else {
if (filename[0] != '/') {
if (xmlNanoFTPCwd(ctxt, ctxt->path) < 1)
@@ -1651,7 +1651,7 @@
if (ctxt->dataFd == -1)
return(-1);
- sprintf(buf, "TYPE I\r\n");
+ snprintf(buf, sizeof(buf), "TYPE I\r\n");
len = strlen(buf);
#ifdef DEBUG_FTP
xmlGenericError(xmlGenericErrorContext, "%s", buf);