pidgin: 050e412d: I've seen this crash a few times where c...

markdoliner at pidgin.im markdoliner at pidgin.im
Tue Nov 18 02:20:32 EST 2008 

-----------------------------------------------------------------
Revision: 050e412d19af350e54a9105f34339a2690d8fc08
Ancestor: 3aeaf3a7618d02c709050dc672f3a4e93742631c
Author: markdoliner at pidgin.im
Date: 2008-11-18T07:16:49
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/050e412d19af350e54a9105f34339a2690d8fc08

Modified files:
        libpurple/protocols/msn/notification.c

ChangeLog: 

I've seen this crash a few times where cmd->param_count is 4 and
we try to access params[4] which is invalid.

The backtrace is:
#0  0x0000003c4c4341ca in ____strtoll_l_internal () from /lib64/libc.so.6
#1  0x0000003c4c431ab2 in atoi () from /lib64/libc.so.6
#2  0x00000000005f0abe in ubm_cmd (cmdproc=0xc86eb30, cmd=0xc832e00) at notification.c:494
#3  0x00000000005efef1 in msn_cmdproc_process_cmd (cmdproc=0xc86eb30, cmd=0xc832e00)
    at cmdproc.c:321
#4  0x00000000005eff97 in msn_cmdproc_process_cmd_text (cmdproc=0xc86eb30,
    command=0xcadb390 "UBM somebody1 at yahoo.com 32 1 170") at cmdproc.c:343
#5  0x00000000005f9d8f in read_cb (data=0xc86ea90, source=9, cond=PURPLE_INPUT_READ)
    at servconn.c:439
#6  0x00000000004db70c in pidgin_io_invoke (source=0xc8369f0, condition=G_IO_IN, data=0xc836570)
    at gtkeventloop.cc:79

Here are some other values I've seen for command in frame 4:
UBM somebody1 at yahoo.com 32 1 170
UBM somebody2 at yahoo.com 32 2 91
UBM somebody3 at yahoo.com 32 2 93

-------------- next part --------------
============================================================
--- libpurple/protocols/msn/notification.c	ea7644b1389c1b91eab7ea7fc66c5f3c5a769c93
+++ libpurple/protocols/msn/notification.c	b87e49537e4bc236bf8b3335e3744c913bc6d910
@@ -491,7 +491,7 @@ ubm_cmd(MsnCmdProc *cmdproc, MsnCommand 
 	 * command and we are processing it */
 	if (cmd->payload == NULL) {
 		cmdproc->last_cmd->payload_cb = msg_cmd_post;
-		cmd->payload_len = atoi(cmd->params[4]);
+		cmd->payload_len = cmd->param_count >= 4 ? atoi(cmd->params[4]) : 0;
 	} else {
 		g_return_if_fail(cmd->payload_cb != NULL);

More information about the Commits mailing list