1 files changed, 18 insertions, 0 deletions

diff --git a/nanohttp.c b/nanohttp.c
index 8dbd9fc0..0a726839 100644
--- a/nanohttp.c
+++ b/nanohttp.c
@@ -1072,11 +1072,21 @@ xmlNanoHTTPConnectHost(const char *host, int port)
 	for (res = result; res; res = res->ai_next) {
 	    if (res->ai_family == AF_INET || res->ai_family == AF_INET6) {
 		if (res->ai_family == AF_INET6) {
+		    if (res->ai_addrlen > sizeof(sockin6)) {
+			__xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+			freeaddrinfo (result);
+			return (-1);
+		    }
 		    memcpy (&sockin6, res->ai_addr, res->ai_addrlen);
 		    sockin6.sin6_port = htons (port);
 		    addr = (struct sockaddr *)&sockin6;
 		}
 		else {
+		    if (res->ai_addrlen > sizeof(sockin)) {
+			__xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+			freeaddrinfo (result);
+			return (-1);
+		    }
 		    memcpy (&sockin, res->ai_addr, res->ai_addrlen);
 		    sockin.sin_port = htons (port);
 		    addr = (struct sockaddr *)&sockin;
@@ -1141,6 +1151,10 @@ xmlNanoHTTPConnectHost(const char *host, int port)
 	for (i = 0; h->h_addr_list[i]; i++) {
 	    if (h->h_addrtype == AF_INET) {
 		/* A records (IPv4) */
+		if ((unsigned int) h->h_length > sizeof(ia)) {
+		    __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+		    return (-1);
+		}
 		memcpy (&ia, h->h_addr_list[i], h->h_length);
 		sockin.sin_family = h->h_addrtype;
 		sockin.sin_addr = ia;
@@ -1149,6 +1163,10 @@ xmlNanoHTTPConnectHost(const char *host, int port)
 #ifdef SUPPORT_IP6
 	    } else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) {
 		/* AAAA records (IPv6) */
+		if ((unsigned int) h->h_length > sizeof(ia6)) {
+		    __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n");
+		    return (-1);
+		}
 		memcpy (&ia6, h->h_addr_list[i], h->h_length);
 		sockin6.sin6_family = h->h_addrtype;
 		sockin6.sin6_addr = ia6;