applied fixes for a couple of potential security problems more fixes on

* nanoftp.c: applied fixes for a couple of potential security problems
* tree.c valid.c xmllint.c: more fixes on the string interning checks
Daniel

5 files changed, 22 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 34e3d25f..0c46bd4c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Tue Oct 26 23:57:02 CEST 2004 Daniel Veillard <daniel@veillard.com>
+
+	* nanoftp.c: applied fixes for a couple of potential security problems
+	* tree.c valid.c xmllint.c: more fixes on the string interning checks
+
 Tue Oct 26 18:09:59 CEST 2004 Daniel Veillard <daniel@veillard.com>
 
 	* debugXML.c include/libxml/xmlerror.h: added checking for names
diff --git a/nanoftp.c b/nanoftp.c
index 7fe20952..27054c6e 100644
--- a/nanoftp.c
+++ b/nanoftp.c
@@ -355,8 +355,13 @@ xmlNanoFTPScanURL(void *ctx, const char *URL) {
 
 	if (cur[0] == '[') {
 	    cur++;
-	    while (cur[0] != ']')
+	    while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
 		buf[indx++] = *cur++;
+	    if (indx >= XML_NANO_MAX_URLBUF-1) {
+		xmlGenericError(xmlGenericErrorContext,
+		                "\nxmlNanoFTPScanURL: %s", "Syntax Error\n");
+		return;
+	    }
 
 	    if (!strchr (buf, ':')) {
 		xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanURL: %s",
@@ -604,8 +609,14 @@ xmlNanoFTPScanProxy(const char *URL) {
 
 	if (cur[0] == '[') {
 	    cur++;
-	    while (cur[0] != ']')
+	    while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
 		buf[indx++] = *cur++;
+            if (indx >= XML_NANO_MAX_URLBUF-1) {
+		xmlGenericError (xmlGenericErrorContext,
+			  "\nxmlNanoFTPScanProxy: %s", "Syntax error\n");
+		return;
+	    }
+
 	    if (!strchr (buf, ':')) {
 		xmlGenericError (xmlGenericErrorContext, "\nxmlNanoFTPScanProxy: %s",
 			"Use [IPv6]/IPv4 format\n");
diff --git a/tree.c b/tree.c
index c324e543..9de498d4 100644
--- a/tree.c
+++ b/tree.c
@@ -2270,7 +2270,7 @@ xmlNewDocNode(xmlDocPtr doc, xmlNsPtr ns,
               const xmlChar *name, const xmlChar *content) {
     xmlNodePtr cur;
 
-    if (doc->dict != NULL)
+    if ((doc != NULL) && (doc->dict != NULL))
         cur = xmlNewNodeEatName(ns, (xmlChar *)
 	                        xmlDictLookup(doc->dict, name, -1));
     else
@@ -2336,7 +2336,7 @@ xmlNewDocRawNode(xmlDocPtr doc, xmlNsPtr ns,
                  const xmlChar *name, const xmlChar *content) {
     xmlNodePtr cur;
 
-    cur = xmlNewNode(ns, name);
+    cur = xmlNewDocNode(doc, ns, name, NULL);
     if (cur != NULL) {
         cur->doc = doc;
 	if (content != NULL) {
diff --git a/valid.c b/valid.c
index 2ce83b13..b8539929 100644
--- a/valid.c
+++ b/valid.c
@@ -6697,8 +6697,7 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names,
     /*
      * Creates a dummy node and insert it into the tree
      */    
-    test_node = xmlNewNode (NULL, BAD_CAST "<!dummy?>");
-    test_node->doc = ref_node->doc;
+    test_node = xmlNewDocNode (ref_node->doc, NULL, BAD_CAST "<!dummy?>", NULL);
     test_node->parent = parent;
     test_node->prev = prev;
     test_node->next = next;
diff --git a/xmllint.c b/xmllint.c
index 9b4d6953..5d720a0a 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -1005,7 +1005,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
 	    xmlNodePtr n;
 
 	    doc = xmlNewDoc(BAD_CAST "1.0");
-	    n = xmlNewNode(NULL, BAD_CAST "info");
+	    n = xmlNewDocNode(doc, NULL, BAD_CAST "info", NULL);
 	    xmlNodeSetContent(n, BAD_CAST "abc");
 	    xmlDocSetRootElement(doc, n);
 	}