Fix potential buffer overflows of interactive shell

CVE-2025-6170

Fixes #941

result/scripts/long_command

@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1  ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b > 

shell.c

@@ -1011,6 +1011,10 @@ xmllintShellPwd(xmllintShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
     return (0);
 }
 
+#define MAX_PROMPT_SIZE     500
+#define MAX_ARG_SIZE        400
+#define MAX_COMMAND_SIZE    100
+
 /**
  * Read a string
  *
@@ -1020,7 +1024,7 @@ xmllintShellPwd(xmllintShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
  */
 static char *
 xmllintShellReadline(char *prompt) {
-    char buf[501];
+    char buf[MAX_PROMPT_SIZE+1];
     char *ret;
     int len;
 
@@ -1044,9 +1048,9 @@ xmllintShellReadline(char *prompt) {
     if (prompt != NULL)
        fprintf(stdout, "%s", prompt);
     fflush(stdout);
-    if (!fgets(buf, 500, stdin))
+    if (!fgets(buf, MAX_PROMPT_SIZE, stdin))
         return(NULL);
-    buf[500] = 0;
+    buf[MAX_PROMPT_SIZE] = 0;
     len = strlen(buf);
     ret = (char *) malloc(len + 1);
     if (ret != NULL) {
@@ -1067,10 +1071,10 @@ xmllintShellReadline(char *prompt) {
 void
 xmllintShell(xmlDoc *doc, const char *filename, FILE * output)
 {
-    char prompt[500] = "/ > ";
+    char prompt[MAX_PROMPT_SIZE] = "/ > ";
     char *cmdline = NULL, *cur;
-    char command[100];
-    char arg[400];
+    char command[MAX_COMMAND_SIZE];
+    char arg[MAX_ARG_SIZE];
     int i;
     xmllintShellCtxtPtr ctxt;
 #ifdef LIBXML_XPATH_ENABLED
@@ -1127,7 +1131,8 @@ xmllintShell(xmlDoc *doc, const char *filename, FILE * output)
             cur++;
         i = 0;
         while ((*cur != ' ') && (*cur != '\t') &&
-               (*cur != '\n') && (*cur != '\r')) {
+               (*cur != '\n') && (*cur != '\r') &&
+               (i < (MAX_COMMAND_SIZE - 1))) {
             if (*cur == 0)
                 break;
             command[i++] = *cur++;
@@ -1142,7 +1147,7 @@ xmllintShell(xmlDoc *doc, const char *filename, FILE * output)
         while ((*cur == ' ') || (*cur == '\t'))
             cur++;
         i = 0;
-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
             if (*cur == 0)
                 break;
             arg[i++] = *cur++;

test/scripts/long_command.script

@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -

test/scripts/long_command.xml

@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>