fix: prevent segfault if malicious server sends 1 GB of data through ftpNLST.

[platform/upstream/rpm.git] / rpmio / rpmrpc.c

diff --git a/rpmio/rpmrpc.c b/rpmio/rpmrpc.c
index 2edaa01..9f3be35 100644 (file)
--- a/rpmio/rpmrpc.c
+++ b/rpmio/rpmrpc.c
@@ -9,7 +9,6 @@
 #endif
 
 #include <rpmio_internal.h>
-#include <popt.h>
 #include "ugid.h"
 #include "debug.h"
 
@@ -904,6 +903,7 @@ static int ftpNLST(const char * url, ftpSysCall_t ftpSysCall,
        /* XXX FIXME: realloc ftpBuf if < ~128 chars remain */
        if ((ftpBufAlloced - bufLength) < (1024+80)) {
            ftpBufAlloced <<= 2;
+           assert(ftpBufAlloced < (8*1024*1024));
            ftpBuf = xrealloc(ftpBuf, ftpBufAlloced);
        }
        s = se = ftpBuf + bufLength;
@@ -1023,7 +1023,7 @@ static const char * statstr(const struct stat * st,
        (unsigned)st->st_dev,
        (unsigned)st->st_ino,
        st->st_mode,
-       st->st_nlink,
+       (unsigned)st->st_nlink,
        st->st_uid,
        st->st_gid,
        (unsigned)st->st_rdev,
@@ -1287,7 +1287,7 @@ static struct dirent * ftpReaddir(DIR * dir)
     dp->d_ino = i + 1;         /* W2DO? */
     dp->d_reclen = 0;          /* W2DO? */
 
-#if !defined(hpux)
+#if !defined(hpux) && !defined(sun)
     dp->d_off = 0;             /* W2DO? */
 /*@-boundsread@*/
     dp->d_type = dt[i];