From 89e09e59f29c088997c28408d265e721b04b6989 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 13 Feb 2020 17:10:01 +0100
Subject: [PATCH] * src/ftp-basic.c (ftp_request): Remove use of alloca

---
 src/ftp-basic.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/ftp-basic.c b/src/ftp-basic.c
index e7996c25..197cd837 100644
--- a/src/ftp-basic.c
+++ b/src/ftp-basic.c
@@ -93,8 +93,11 @@ static char *
 ftp_request (const char *command, const char *value)
 {
   char *res;
+
   if (value)
     {
+      char *defanged = NULL, buf[256];
+
       /* Check for newlines in VALUE (possibly injected by the %0A URL
          escape) making the callers inadvertently send multiple FTP
          commands at once.  Without this check an attacker could
@@ -103,18 +106,31 @@ ftp_request (const char *command, const char *value)
       if (strpbrk (value, "\r\n"))
         {
           /* Copy VALUE to the stack and modify CR/LF to space. */
-          char *defanged, *p;
-          STRDUP_ALLOCA (defanged, value);
+          char *p;
+          size_t len = strlen(value);
+
+          if (len < sizeof (buf))
+            defanged = buf;
+          else
+            defanged = xmalloc (len + 1);
+
+          memcpy (defanged, value, len + 1);
+
           for (p = defanged; *p; p++)
             if (*p == '\r' || *p == '\n')
               *p = ' ';
+
           DEBUGP (("\nDetected newlines in %s \"%s\"; changing to %s \"%s\"\n",
                    command, quotearg_style (escape_quoting_style, value),
                    command, quotearg_style (escape_quoting_style, defanged)));
+
           /* Make VALUE point to the defanged copy of the string. */
           value = defanged;
         }
       res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+
+      if (defanged != buf)
+        xfree (defanged);
     }
   else
     res = concat_strings (command, "\r\n", (char *) 0);