diff -EburN libxml2-2.5.10.orig/nanoftp.c libxml2-2.5.10/nanoftp.c --- libxml2-2.5.10.orig/nanoftp.c 2004-10-27 13:03:52.000000000 +0200 +++ libxml2-2.5.10/nanoftp.c 2004-10-27 13:26:13.000000000 +0200 @@ -334,7 +334,7 @@ if (cur[0] == '[') { cur++; - while (cur[0] != ']') + while (cur[0] != ']' && (indx < XML_NANO_MAX_URLBUF-1)) buf[indx++] = *cur++; if (!strchr (buf, ':')) { @@ -583,7 +583,7 @@ if (cur[0] == '[') { cur++; - while (cur[0] != ']') + while (cur[0] != ']' && (indx < XML_NANO_MAX_URLBUF-1)) buf[indx++] = *cur++; if (!strchr (buf, ':')) { xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanProxy: %s", @@ -1062,16 +1062,22 @@ } else { if (tmp->ai_family == AF_INET6) { - memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen); + memcpy (&ctxt->ftpAddr, tmp->ai_addr, + tmp->ai_addrlen > sizeof(ctxt->ftpAddr) ? sizeof(ctxt->ftpAddr) + : tmp->ai_addrlen); ((struct sockaddr_in6 *) &ctxt->ftpAddr)->sin6_port = htons (port); ctxt->controlFd = socket (AF_INET6, SOCK_STREAM, 0); } else { - memcpy (&ctxt->ftpAddr, tmp->ai_addr, tmp->ai_addrlen); + memcpy (&ctxt->ftpAddr, tmp->ai_addr, + tmp->ai_addrlen > sizeof(ctxt->ftpAddr) ? sizeof(ctxt->ftpAddr) + : tmp->ai_addrlen); ((struct sockaddr_in *) &ctxt->ftpAddr)->sin_port = htons (port); ctxt->controlFd = socket (AF_INET, SOCK_STREAM, 0); } - addrlen = tmp->ai_addrlen; + addrlen = tmp->ai_addrlen > sizeof(ctxt->ftpAddr) + ? sizeof(ctxt->ftpAddr) + : tmp->ai_addrlen; freeaddrinfo (result); } } diff -EburN libxml2-2.5.10.orig/nanohttp.c libxml2-2.5.10/nanohttp.c --- libxml2-2.5.10.orig/nanohttp.c 2004-10-27 13:03:52.000000000 +0200 +++ libxml2-2.5.10/nanohttp.c 2004-10-27 13:32:16.000000000 +0200 @@ -995,7 +995,7 @@ struct addrinfo hints, *res, *result; result = NULL; - memset (&hints, 0,sizeof(hints)); + memset (&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; status = getaddrinfo (host, NULL, &hints, &result); @@ -1010,12 +1010,16 @@ for (res = result; res; res = res->ai_next) { if (res->ai_family == AF_INET || res->ai_family == AF_INET6) { if (res->ai_family == AF_INET6) { - memcpy (&sockin6, res->ai_addr, res->ai_addrlen); + memcpy (&sockin6, res->ai_addr, + res->ai_addrlen > sizeof(sockin6) ? + sizeof(sockin6) : res->ai_addrlen); sockin6.sin6_port = htons (port); addr = (struct sockaddr *)&sockin6; } else { - memcpy (&sockin, res->ai_addr, res->ai_addrlen); + memcpy (&sockin, res->ai_addr, + res->ai_addrlen > sizeof(sockin) ? + sizeof(sockin) : res->ai_addrlen); sockin.sin_port = htons (port); addr = (struct sockaddr *)&sockin; } @@ -1083,7 +1087,8 @@ for (i = 0; h->h_addr_list[i]; i++) { if (h->h_addrtype == AF_INET) { /* A records (IPv4) */ - memcpy (&ia, h->h_addr_list[i], h->h_length); + memcpy (&ia, h->h_addr_list[i], h->h_length > sizeof(ia) ? + sizeof(ia) : h->h_length); sockin.sin_family = h->h_addrtype; sockin.sin_addr = ia; sockin.sin_port = htons (port); @@ -1091,7 +1096,8 @@ #ifdef SUPPORT_IP6 } else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) { /* AAAA records (IPv6) */ - memcpy (&ia6, h->h_addr_list[i], h->h_length); + memcpy (&ia6, h->h_addr_list[i], h->h_length > sizeof(ia6) ? + sizeof(ia6) : h->h_length); sockin6.sin6_family = h->h_addrtype; sockin6.sin6_addr = ia6; sockin6.sin6_port = htons (port);