soc.2010.icq-tlc: 4c9bb423: *** Plucked rev 7e159eaa14b0041fcc3ee578...

Tue Aug 10 13:55:47 EDT 2010

----------------------------------------------------------------------
Revision: 4c9bb4231e46e234d01e6dc64bf4be49fb12c27c
Parent:   62d20fa69e82c62b276adac211c3f839df49e21e
Author:   markdoliner at pidgin.im
Date:     08/10/10 13:53:07
Branch:   im.pidgin.soc.2010.icq-tlc
URL: http://d.pidgin.im/viewmtn/revision/info/4c9bb4231e46e234d01e6dc64bf4be49fb12c27c

Changelog: 

*** Plucked rev 7e159eaa14b0041fcc3ee5783cd1e4f2d039a1a1 (markdoliner at pidgin.im):
Fix a crash bug in oscar related to trying to allocate too much memory.
This was reported to our security mailing list by Jan Kaluza The Great.
I honestly couldn't figure out how to repro this crash, so I've been
considering it as not a remote-crash security problem, so I chose to
skip the CVE process for this.

*** Plucked rev 5f40454216dc36a3276e369a5b9483d6bddc13f2 (markdoliner at pidgin.im):
Make these unsigned, in case someone figures out how to actually send
one of these and somehow manages to use a negative number.  Pointed out
by Yuriy M. Kaminskiy.  Thanks, Yuriy!

Changes against parent 62d20fa69e82c62b276adac211c3f839df49e21e

  patched  libpurple/protocols/oscar/oscar.c

-------------- next part --------------
============================================================

--- libpurple/protocols/oscar/oscar.c	dab0aec659fbcd8b1e7f94f530645e24c872f779
+++ libpurple/protocols/oscar/oscar.c	e0401bb339b554a4e558b4e2545a1523a9cc7ab8
@@ -1985,7 +1985,8 @@ incomingim_chan4(OscarData *od, FlapConn
 
 		case 0x1a: { /* Handle SMS or someone has sent you a greeting card or requested buddies? */
 			ByteStream qbs;
-			int smstype, taglen, smslen;
+			guint16 smstype;
+			guint32 taglen, smslen;
 			char *tagstr = NULL, *smsmsg = NULL;
 			xmlnode *xmlroot = NULL, *xmltmp = NULL;
 			gchar *uin = NULL, *message = NULL;
@@ -1999,12 +2000,23 @@ incomingim_chan4(OscarData *od, FlapConn
 			if (smstype != 0)
 				break;
 			taglen = byte_stream_getle32(&qbs);
+			if (taglen > 2000) {
+				/* Avoid trying to allocate large amounts of memory, in
+				   case we get something unexpected. */
+				break;
+			}
 			tagstr = byte_stream_getstr(&qbs, taglen);
 			if (tagstr == NULL)
 				break;
 			byte_stream_advance(&qbs, 3);
 			byte_stream_advance(&qbs, 4);
 			smslen = byte_stream_getle32(&qbs);
+			if (smslen > 2000) {
+				/* Avoid trying to allocate large amounts of memory, in
+				   case we get something unexpected. */
+				g_free(tagstr);
+				break;
+			}
 			smsmsg = byte_stream_getstr(&qbs, smslen);
 
 			/* Check if this is an SMS being sent from server */
