Backport security fixes (in the nanohttp and the nanoftp modules) from

libxml2 (several buffer overflows).  Bump PKGREVISION to 3.

5 files changed, 160 insertions, 5 deletions

diff --git a/textproc/libxml/Makefile b/textproc/libxml/Makefile
index e238fd9e67d..e58f45aba39 100644
--- a/textproc/libxml/Makefile
+++ b/textproc/libxml/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.32 2004/10/03 00:18:20 tv Exp $
+# $NetBSD: Makefile,v 1.33 2004/11/20 22:07:49 jmmv Exp $
 #
 
 DISTNAME=		libxml-1.8.17
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		textproc devel lang gnome
 MASTER_SITES=		ftp://rpmfind.net/pub/veillard/ \
 			${MASTER_SITE_GNOME:=sources/libxml/1.8/}
diff --git a/textproc/libxml/buildlink3.mk b/textproc/libxml/buildlink3.mk
index a1ece345535..a1e3ef505a8 100644
--- a/textproc/libxml/buildlink3.mk
+++ b/textproc/libxml/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.5 2004/10/03 00:18:20 tv Exp $
+# $NetBSD: buildlink3.mk,v 1.6 2004/11/20 22:07:49 jmmv Exp $
 
 BUILDLINK_DEPTH:=	${BUILDLINK_DEPTH}+
 LIBXML_BUILDLINK3_MK:=	${LIBXML_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+=	libxml
 
 .if !empty(LIBXML_BUILDLINK3_MK:M+)
 BUILDLINK_DEPENDS.libxml+=	libxml>=1.8.11
-BUILDLINK_RECOMMENDED.libxml+=	libxml>=1.8.17nb2
+BUILDLINK_RECOMMENDED.libxml+=	libxml>=1.8.17nb3
 BUILDLINK_FILES.libxml+=	include/gnome-xml/libxml/*.h
 BUILDLINK_PKGSRCDIR.libxml?=	../../textproc/libxml
 .endif	# LIBXML_BUILDLINK3_MK
diff --git a/textproc/libxml/distinfo b/textproc/libxml/distinfo
index b5a9479edb6..f1ce3ba5f74 100644
--- a/textproc/libxml/distinfo
+++ b/textproc/libxml/distinfo
@@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.8 2003/04/25 03:09:08 martti Exp $
+$NetBSD: distinfo,v 1.9 2004/11/20 22:07:49 jmmv Exp $
 
 SHA1 (libxml-1.8.17.tar.gz) = ebe7b76bb2b62c882000c1a846a6f8f8346e3bb4
 Size (libxml-1.8.17.tar.gz) = 996351 bytes
 SHA1 (patch-aa) = 977a9e7f628910c2bc7e7f3c04de9917826bc0b7
 SHA1 (patch-ab) = 6c72ef59fe094ddbb4901b0f35eb681a4d0b4ff2
 SHA1 (patch-ac) = b94818200397d6c6457053fa5fe02a6049d52c44
+SHA1 (patch-ad) = 1513deb92711d9b17114ce4a00d9d5f1714234d3
+SHA1 (patch-ae) = 7f3f56ff649f3718b855da9a2d8e6f64dee95086
diff --git a/textproc/libxml/patches/patch-ad b/textproc/libxml/patches/patch-ad
new file mode 100644
index 00000000000..eaa63c15f31
--- /dev/null
+++ b/textproc/libxml/patches/patch-ad
@@ -0,0 +1,106 @@
+$NetBSD: patch-ad,v 1.3 2004/11/20 22:07:49 jmmv Exp $
+
+--- nanoftp.c.orig	2000-07-10 12:16:39.000000000 +0200
++++ nanoftp.c
+@@ -65,6 +65,8 @@ static char hostname[100];
+ #define FTP_GET_PASSWD		331
+ #define FTP_BUF_SIZE		512
+ 
++#define XML_NANO_MAX_URLBUF	4096
++
+ typedef struct xmlNanoFTPCtxt {
+     char *protocol;	/* the protocol name */
+     char *hostname;	/* the host name */
+@@ -203,7 +205,7 @@ static void
+ xmlNanoFTPScanURL(void *ctx, const char *URL) {
+     xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx;
+     const char *cur = URL;
+-    char buf[4096];
++    char buf[XML_NANO_MAX_URLBUF];
+     int index = 0;
+     int port = 0;
+ 
+@@ -221,7 +223,7 @@ xmlNanoFTPScanURL(void *ctx, const char 
+     }
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF - 1)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+ 	    buf[index] = 0;
+ 	    ctxt->protocol = xmlMemStrdup(buf);
+@@ -234,7 +236,7 @@ xmlNanoFTPScanURL(void *ctx, const char 
+     if (*cur == 0) return;
+ 
+     buf[index] = 0;
+-    while (1) {
++    while (index < XML_NANO_MAX_URLBUF - 1) {
+         if (cur[0] == ':') {
+ 	    buf[index] = 0;
+ 	    ctxt->hostname = xmlMemStrdup(buf);
+@@ -263,7 +265,7 @@ xmlNanoFTPScanURL(void *ctx, const char 
+     else {
+         index = 0;
+         buf[index] = 0;
+-	while (*cur != 0)
++	while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1))
+ 	    buf[index++] = *cur++;
+ 	buf[index] = 0;
+ 	ctxt->path = xmlMemStrdup(buf);
+@@ -288,7 +290,7 @@ int
+ xmlNanoFTPUpdateURL(void *ctx, const char *URL) {
+     xmlNanoFTPCtxtPtr ctxt = (xmlNanoFTPCtxtPtr) ctx;
+     const char *cur = URL;
+-    char buf[4096];
++    char buf[XML_NANO_MAX_URLBUF];
+     int index = 0;
+     int port = 0;
+ 
+@@ -301,7 +303,7 @@ xmlNanoFTPUpdateURL(void *ctx, const cha
+     if (ctxt->hostname == NULL)
+ 	return(-1);
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+ 	    buf[index] = 0;
+ 	    if (strcmp(ctxt->protocol, buf))
+@@ -353,7 +355,7 @@ xmlNanoFTPUpdateURL(void *ctx, const cha
+     else {
+         index = 0;
+         buf[index] = 0;
+-	while (*cur != 0)
++	while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1))
+ 	    buf[index++] = *cur++;
+ 	buf[index] = 0;
+ 	ctxt->path = xmlMemStrdup(buf);
+@@ -374,7 +376,7 @@ xmlNanoFTPUpdateURL(void *ctx, const cha
+ void
+ xmlNanoFTPScanProxy(const char *URL) {
+     const char *cur = URL;
+-    char buf[4096];
++    char buf[XML_NANO_MAX_URLBUF];
+     int index = 0;
+     int port = 0;
+ 
+@@ -393,7 +395,7 @@ xmlNanoFTPScanProxy(const char *URL) {
+ #endif
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < XML_NANO_MAX_URLBUF-1)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+ 	    buf[index] = 0;
+ 	    index = 0;
+@@ -828,6 +830,11 @@ xmlNanoFTPConnect(void *ctx) {
+     if (hp == NULL)
+         return(-1);
+ 
++    if ((unsigned int) hp->h_length >
++	sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
++	return (-1);
++    }
++
+     /*
+      * Prepare the socket
+      */
diff --git a/textproc/libxml/patches/patch-ae b/textproc/libxml/patches/patch-ae
new file mode 100644
index 00000000000..76fc275a7d6
--- /dev/null
+++ b/textproc/libxml/patches/patch-ae
@@ -0,0 +1,47 @@
+$NetBSD: patch-ae,v 1.1 2004/11/20 22:07:49 jmmv Exp $
+
+--- nanohttp.c.orig	2000-06-28 20:33:46.000000000 +0200
++++ nanohttp.c
+@@ -161,6 +161,7 @@ xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
+     const char *cur = URL;
+     char buf[4096];
+     int index = 0;
++    const int indexMax = 4096 - 1;
+     int port = 0;
+ 
+     if (ctxt->protocol != NULL) { 
+@@ -177,7 +178,7 @@ xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
+     }
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < indexMax)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+ 	    buf[index] = 0;
+ 	    ctxt->protocol = xmlMemStrdup(buf);
+@@ -219,7 +220,7 @@ xmlNanoHTTPScanURL(xmlNanoHTTPCtxtPtr ct
+     else {
+         index = 0;
+         buf[index] = 0;
+-	while (*cur != 0)
++	while ((*cur != 0) && (index < indexMax))
+ 	    buf[index++] = *cur++;
+ 	buf[index] = 0;
+ 	ctxt->path = xmlMemStrdup(buf);
+@@ -241,6 +242,7 @@ xmlNanoHTTPScanProxy(const char *URL) {
+     const char *cur = URL;
+     char buf[4096];
+     int index = 0;
++    const int indexMax = 4096 - 1;
+     int port = 0;
+ 
+     if (proxy != NULL) { 
+@@ -258,7 +260,7 @@ xmlNanoHTTPScanProxy(const char *URL) {
+ #endif
+     if (URL == NULL) return;
+     buf[index] = 0;
+-    while (*cur != 0) {
++    while ((*cur != 0) && (index < indexMax)) {
+         if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
+ 	    buf[index] = 0;
+ 	    index = 0;