Re: [xml] A long URL causes SEGV

Yuuichi Teranishi wrote:
Fixed. Thanks.

I noticed `xmlNanoHTTPScanProxy' also has the problem.
The patch attached to this mail solves it too (hopefully).
(It defines XML_NANO_HTTP_URL_LENGTH instead of a magic number 4096 ;-)

By the way, this bug causes a buffer overflow, doesn't it?
I'm worrying this may allow remote attackers to embed a long URL
in the XML file (or something like that which kicks nanohttp)
to execute illegal codes.
If so, I think fixed version should be released and announced to
the developers.

Fixed in CVS since yesterday. Using the magic number instead of the macro, but the bug is gone anyway :-)

This was the buffer overflow, that is right. Thus there was a theoretical possibility to execute arbitrary code by constructing a malicious URL. However, most users control the XML they feed libxml with, so there is little chance for an actual exploit.

Nevertheless, since we Windows users cannot be trusted to keep our machines secure, a Windows binary with this fix (called version 2.6.5+) has allready been released.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]