commit f1b931905e180ae805178d00d007b823f1a9d013
Author: Jaak Ristioja <jaak@ristioja.ee>
Date:   Thu Jun 27 22:57:03 2013 +0300

    Fixed an NULL pointer dereference.
    
    A crash is caused by a NULL pointer dereference, because
    
      pBufRes = (char *)findSizeStart(pBuf);
    
    might return NULL after which
    
      pBuf = pBufRes;
    
    and
    
      pBuf++;
      pBuf = strstr(pBuf, "<a href=\"");
    
    are executed. The latter strstr expression tries to dereference
    (++((char*)NULL)) and crashes.

diff --git a/src/mgr/curlhttpt.cpp b/src/mgr/curlhttpt.cpp
index c1c9589..8dfe768 100644
--- a/src/mgr/curlhttpt.cpp
+++ b/src/mgr/curlhttpt.cpp
@@ -232,13 +232,13 @@ vector<struct DirEntry> CURLHTTPTransport::getDirList(const char *dirURL) {
 						fSize *= 1024;
 					else if (pBufRes[0] == 'M')
 						fSize *= 1048576;
+					pBuf = pBufRes;
 				}
 				struct DirEntry i;
 				i.name = possibleName;
 				i.size = (long unsigned int)fSize;
 				i.isDirectory = (possibleName[possibleNameLength-1] == '/');
 				dirList.push_back(i);
-				pBuf = pBufRes;
 			} else {
 				pBuf += possibleNameLength;
 			}

commit b848916c803b82deaa24654c0c4c2c192b2db439
Author: Jaak Ristioja <jaak@ristioja.ee>
Date:   Thu Jun 27 23:25:45 2013 +0300

    Fixed buffer overflow.
    
    The sprintf() call didn't count for the fact that possibleNameLength might
    be greater than 399.
    
    DISCLAIMER: This is one of the most terrible patches I've ever written. But
    I hope this makes the Sword guys happy if post them a patch where I adhere
    to their coding standards. I will attempt to fix this in the future.

diff --git a/src/mgr/curlhttpt.cpp b/src/mgr/curlhttpt.cpp
index 8dfe768..3b41167 100644
--- a/src/mgr/curlhttpt.cpp
+++ b/src/mgr/curlhttpt.cpp
@@ -25,6 +25,7 @@
 #include <vector>
 #include <cctype>
 
+#include <cassert>
 #include <curl/curl.h>
 #include <curl/easy.h>
 
@@ -209,17 +210,20 @@ vector<struct DirEntry> CURLHTTPTransport::getDirList(const char *dirURL) {
 	SWBuf dirBuf;
 	const char *pBuf;
 	char *pBufRes;
-	char possibleName[400];
+	char * possibleName;
 	double fSize;
-	int possibleNameLength = 0;
+	size_t possibleNameLength;
 	
 	if (!getURL("", dirURL, &dirBuf)) {
 		pBuf = strstr(dirBuf, "<a href=\"");//Find the next link to a possible file name.
 		while (pBuf != NULL) {
 			pBuf += 9;//move to the start of the actual name.
 			pBufRes = (char *)strchr(pBuf, '\"');//Find the end of the possible file name
+			assert(pBufRes > pBuf);
 			possibleNameLength = pBufRes - pBuf;
-			sprintf(possibleName, "%.*s", possibleNameLength, pBuf);
+			possibleName = new char[possibleNameLength + 1u];
+			memcpy(possibleName, pBuf, possibleNameLength);
+			possibleName[possibleNameLength] = '\0';
 			if (isalnum(possibleName[0])) {
 				SWLog::getSystemLog()->logDebug("getDirListHTTP: Found a file: %s", possibleName);
 				pBuf = pBufRes;
@@ -242,6 +246,8 @@ vector<struct DirEntry> CURLHTTPTransport::getDirList(const char *dirURL) {
 			} else {
 				pBuf += possibleNameLength;
 			}
+			delete[] possibleName;
+
 			pBuf++;
 			pBuf = strstr(pBuf, "<a href=\"");//Find the next link to a possible file name.
 		}

commit e242a489dbde457c8cd2309c47bcd5634777bbce
Author: Jaak Ristioja <jaak@ristioja.ee>
Date:   Mon Jul 1 18:45:19 2013 +0300

    Fixed another overflow bug.

diff --git a/src/mgr/curlhttpt.cpp b/src/mgr/curlhttpt.cpp
index 3b41167..32c110a 100644
--- a/src/mgr/curlhttpt.cpp
+++ b/src/mgr/curlhttpt.cpp
@@ -219,6 +219,8 @@ vector<struct DirEntry> CURLHTTPTransport::getDirList(const char *dirURL) {
 		while (pBuf != NULL) {
 			pBuf += 9;//move to the start of the actual name.
 			pBufRes = (char *)strchr(pBuf, '\"');//Find the end of the possible file name
+			if (!pBufRes)
+				break;
 			assert(pBufRes > pBuf);
 			possibleNameLength = pBufRes - pBuf;
 			possibleName = new char[possibleNameLength + 1u];