replaced sprintf() with snprintf() to prevent possible buffer overflow
* DOCBparser.c HTMLparser.c debugXML.c encoding.c
nanoftp.c nanohttp.c parser.c tree.c uri.c xmlIO.c
xmllint.c xpath.c: replaced sprintf() with snprintf()
to prevent possible buffer overflow (the bug was pointed
out by Anju Premachandran)
diff --git a/tree.c b/tree.c
index b4b143b..f958cb2 100644
--- a/tree.c
+++ b/tree.c
@@ -4599,17 +4599,17 @@
* Let's strip namespace prefixes longer than 20 chars !
*/
if (ns->prefix == NULL)
- sprintf((char *) prefix, "default");
+ snprintf((char *) prefix, sizeof(prefix), "default");
else
- sprintf((char *) prefix, "%.20s", ns->prefix);
+ snprintf((char *) prefix, sizeof(prefix), "%.20s", ns->prefix);
def = xmlSearchNs(doc, tree, prefix);
while (def != NULL) {
if (counter > 1000) return(NULL);
if (ns->prefix == NULL)
- sprintf((char *) prefix, "default%d", counter++);
+ snprintf((char *) prefix, sizeof(prefix), "default%d", counter++);
else
- sprintf((char *) prefix, "%.20s%d", ns->prefix, counter++);
+ snprintf((char *) prefix, sizeof(prefix), "%.20s%d", ns->prefix, counter++);
def = xmlSearchNs(doc, tree, prefix);
}