pidgin: 84946a05: Apply [9bac0a540156fb1848eedd61c8630737d...

Sat Jun 27 15:00:31 EDT 2009

-----------------------------------------------------------------
Revision: 84946a05a555bf00b813da3bbf4c1af3856a62e0
Ancestor: aeccaeff23a7b1b719d2b0c30b86b85b2d1effab
Author: rekkanoryo at pidgin.im
Date: 2009-06-27T18:50:48
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/84946a05a555bf00b813da3bbf4c1af3856a62e0

Modified files:
        libpurple/protocols/oscar/bstream.c
        libpurple/protocols/oscar/oscar.c

ChangeLog: 

Apply [9bac0a540156fb1848eedd61c8630737dee752c7] here as well.  I should
actually have committed this here first, then plucked to 2.5.8, but by the
time I realized this it was too late to fix.  Refs #9483.

-------------- next part --------------
============================================================

--- libpurple/protocols/oscar/bstream.c	1b70134e5f9f283ef26d4b64af11c01f31aef174
+++ libpurple/protocols/oscar/bstream.c	3fa6dd1e0661576aae2c20be5e28a600365a80dd
@@ -161,15 +161,19 @@ guint32 byte_stream_getle32(ByteStream *
 	return aimutil_getle32(bs->data + bs->offset - 4);
 }
 
+static void byte_stream_getrawbuf_nocheck(ByteStream *bs, guint8 *buf, int len)
+{
+	memcpy(buf, bs->data + bs->offset, len);
+	bs->offset += len;
+}
+
 int byte_stream_getrawbuf(ByteStream *bs, guint8 *buf, int len)
 {
 
 	if (byte_stream_empty(bs) < len)
 		return 0;
 
-	memcpy(buf, bs->data + bs->offset, len);
-	bs->offset += len;
-
+	byte_stream_getrawbuf_nocheck(bs, buf, len);
 	return len;
 }
 
@@ -177,12 +181,12 @@ guint8 *byte_stream_getraw(ByteStream *b
 {
 	guint8 *ob;
 
+	if (byte_stream_empty(bs) < len)
+		return NULL;
+
 	ob = g_malloc(len);
 
-	if (byte_stream_getrawbuf(bs, ob, len) < len) {
-		g_free(ob);
-		return NULL;
-	}
+	byte_stream_getrawbuf_nocheck(bs, ob, len);
 
 	return ob;
 }
@@ -191,12 +195,12 @@ char *byte_stream_getstr(ByteStream *bs,
 {
 	char *ob;
 
+	if (byte_stream_empty(bs) < len)
+		return NULL;
+
 	ob = g_malloc(len + 1);
 
-	if (byte_stream_getrawbuf(bs, (guint8 *)ob, len) < len) {
-		g_free(ob);
-		return NULL;
-	}
+	byte_stream_getrawbuf_nocheck(bs, (guint8 *)ob, len);
 
 	ob[len] = '\0';
 
============================================================
--- libpurple/protocols/oscar/oscar.c	b1c98c6364129da3b0347d5886fcf468e4140025
+++ libpurple/protocols/oscar/oscar.c	6430f16c5d2e67450b297b71f1ef06521c2482f8
@@ -2905,9 +2905,15 @@ incomingim_chan4(OscarData *od, FlapConn
 			/* From libicq2000-0.3.2/src/ICQ.cpp */
 			byte_stream_init(&qbs, (guint8 *)args->msg, args->msglen);
 			byte_stream_advance(&qbs, 21);
+			/* expected:	01 00 00 20 00 0e 28 f6 00 11 e7 d3 11 bc f3 00 04 ac 96 9d c2 | 00 00 | 06 00 00 00 | 49 43 51 53 43 53 ...*/
+			/* unexpected:	00 00 26 00 81 1a 18 bc 0e 6c 18 47 a5 91 6f 18 dc c7 6f 1a | 00 00 | 0d 00 00 00 | 49 43 51 57 65 62 4d 65 73 73 61 67 65 ... */
 			smstype = byte_stream_getle16(&qbs);
+			if (smstype != 0)
+				break;
 			taglen = byte_stream_getle32(&qbs);
 			tagstr = byte_stream_getstr(&qbs, taglen);
+			if (tagstr == NULL)
+				break;
 			byte_stream_advance(&qbs, 3);
 			byte_stream_advance(&qbs, 4);
 			smslen = byte_stream_getle32(&qbs);
