pidgin: f450cc27: Fix recipt of ICQ messages from the mobi...

[rekkanoryo at pidgin.im]

-----------------------------------------------------------------
Revision: f450cc27747b13860314b51bf1aaa7a923f42b8f
Ancestor: 0ed824d0e7a548cb9a2fc4da692270475567d7d6
Author: david.jedelsky at gmail.com
Date: 2009-02-15T19:01:58
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/f450cc27747b13860314b51bf1aaa7a923f42b8f

Modified files:
        ChangeLog libpurple/protocols/oscar/family_icbm.c

ChangeLog: 

Fix recipt of ICQ messages from the mobile client "Slick."  Fixes #7084, #7595.

-------------- next part --------------
============================================================
--- ChangeLog	6077435099c49ffc1287dc4a60bc752b579dec0f
+++ ChangeLog	0b07eb862f014020305d395e0012257fdb4dd4ad
@@ -15,6 +15,7 @@ version 2.5.5 (??/??/????):
 	  of buddy icons and available messages.
 	* Properly publish status messages for statuses other than Available.
 	  ICQ 6.x users can now see these status messages. (Daniel Ljungborg)
+	* Fix recipt of messages from the mobile client Slick. (David Jedelsky)
 
 	MSN:
 	* Fix transfer of buddy icons, custom smileys, and files from the
============================================================
--- libpurple/protocols/oscar/family_icbm.c	80ce9708420fc9a68491d504ae265384ff5a63c9
+++ libpurple/protocols/oscar/family_icbm.c	18ddbc7d86612fd9ae5917928b5835df2aae50b8
@@ -1566,9 +1566,10 @@ static int incomingim_ch1(OscarData *od,
 
 static int incomingim_ch1(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, guint16 channel, aim_userinfo_t *userinfo, ByteStream *bs, guint8 *cookie)
 {
-	guint16 type, length;
+	guint16 type, length, magic1, msglen;
 	aim_rxcallback_t userfunc;
 	int ret = 0;
+	int rev = 0;
 	struct aim_incomingim_ch1_args args;
 	unsigned int endpos;
 
@@ -1603,11 +1604,31 @@ static int incomingim_ch1(OscarData *od,
 			 *   - 0101 -- Unknown
 			 *   - Message
 			 *
+			 * Slick and possible others reverse 'Features' and 'Messages' section.
+			 * Thus, the TLV could have following layout:
+			 *   - 0101 -- Unknown (possibly magic for message section)
+			 *   - Message
+			 *   - 0501 -- Unknown (possibly magic for features section)
+			 *   - Features: Don't know how to interpret these
 			 */
 
-			byte_stream_get8(bs); /* 05 */
-			byte_stream_get8(bs); /* 01 */
+			magic1 = byte_stream_get16(bs); /* 0501 or 0101 */
+			if (magic1 == 0x101) /* Bad, message comes before attributes */
+			{
+				/* Jump to the features section */
+				msglen = byte_stream_get16(bs);
+				bs->offset += msglen;
+				rev = 1;
 
+				magic1 = byte_stream_get16(bs); /* 0501 */
+			}
+
+			if (magic1 != 0x501)
+			{
+				purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s.  They are probably trying to do something malicious.\n", userinfo->sn);
+				break;
+			}
+
 			args.featureslen = byte_stream_get16(bs);
 			if (args.featureslen > byte_stream_empty(bs))
 			{
@@ -1624,11 +1645,25 @@ static int incomingim_ch1(OscarData *od,
 				args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES;
 			}
 
+			if (rev)
+			{
+				/* Fix buffer back to message */
+				bs->offset -= args.featureslen + 2 + 2 + msglen + 2 + 2;
+			}
+
+			magic1 = byte_stream_get16(bs); /* 01 01 */
+			if (magic1 != 0x101) /* Bad, message comes before attributes */
+			{
+				purple_debug_misc("oscar", "Received an IM containing an invalid message part from %s.  They are probably trying to do something malicious.\n", userinfo->sn);
+				break;
+			}
+			msglen = byte_stream_get16(bs);
+
 			/*
 			 * The rest of the TLV contains one or more message
 			 * blocks...
 			 */
-			incomingim_ch1_parsemsgs(od, userinfo, bs->data + bs->offset /* XXX evil!!! */, length - 2 - 2 - args.featureslen, &args);
+			incomingim_ch1_parsemsgs(od, userinfo, bs->data + bs->offset - 2 - 2 /* XXX evil!!! */, msglen + 2 + 2, &args);
 
 		} else if (type == 0x0003) { /* Server Ack Requested */