rpms/prozilla/FC-3 prozilla-1.3.7.4-buf.patch,NONE,1.1

Fri Jan 20 10:16:53 UTC 2006

Author: jwrdegoede

Update of /cvs/extras/rpms/prozilla/FC-3
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5192

Added Files:
	prozilla-1.3.7.4-buf.patch 
Log Message:
* Fri Jan 20 2006 Hans de Goede <j.w.r.degoede at hhs.nl>
- Fix CAN-2005-2961 / bugzilla 169791


prozilla-1.3.7.4-buf.patch:

--- NEW FILE prozilla-1.3.7.4-buf.patch ---
--- prozilla-1.3.7.4/src/ftpsearch.c.buf	2006-01-05 11:43:08.000000000 +0100
+++ prozilla-1.3.7.4/src/ftpsearch.c	2006-01-05 11:59:49.000000000 +0100
@@ -81,9 +81,10 @@
     return (strstr(buf, "</A"));
 }
 
-char *get_string_ahref(char *buf, char *out)
+static char *get_string_ahref(char *buf, char *out, size_t out_size)
 {
     char *p1, *p2, *p3;
+    size_t to_copy;
 
     p1 = find_ahref(buf);
     assert(p1 != NULL);
@@ -93,11 +94,14 @@
 
     p3 = find_closed_a(p2);
     assert(p3 != NULL);
-
-    strncpy(out, p2 + 1, p3 - p2 - 1);
-    out[p3 - p2 - 1] = 0;
+    
+    to_copy = p3 - p2 - 1;
+    if (to_copy >= out_size)
+        to_copy = out_size - 1;
+    strncpy(out, p2 + 1, to_copy);
+    out[to_copy] = 0;
+    
     return p3;
-
 }
 
 
@@ -242,9 +246,8 @@
 
     p1 = kmalloc((j - i - 5) + 100);
     strncpy(p1, i + 5, j - i - 5);
-
-    debug_prz("\nstring len= %ld", strlen(p1));
     p1[j - i - 5 + 1] = 0;
+    debug_prz("\nstring len= %ld", strlen(p1));
 
     p2 = p1;
 
@@ -275,9 +278,9 @@
     for (k = 0; k < *num_servers; k++)
     {
 	memset(&(ftp_mirrors[k]), 0, sizeof(ftp_mirror));
-	p2 = get_string_ahref(p2, buf);
+	p2 = get_string_ahref(p2, buf, sizeof(buf)/sizeof(char));
 	ftp_mirrors[k].server_name = kstrdup(buf);
-	p2 = get_string_ahref(p2, buf);
+	p2 = get_string_ahref(p2, buf, sizeof(buf)/sizeof(char));
 
 	/*Strip any leading slash in the path name if preent */
 	if (*buf == '/')
@@ -285,7 +288,7 @@
 	else
 	    ftp_mirrors[k].path = kstrdup(buf);
 
-	p2 = get_string_ahref(p2, buf);
+	p2 = get_string_ahref(p2, buf, sizeof(buf)/sizeof(char));
 	ftp_mirrors[k].file_name = kstrdup(buf);
     }
 


