pidgin: d1009efa: Fix CVE-2010-0423, a denial of service a...

markdoliner at pidgin.im markdoliner at pidgin.im
Thu Feb 18 03:16:02 EST 2010 

-----------------------------------------------------------------
Revision: d1009efa4da45e8abd8279b454505554627c67c6
Ancestor: ab4716ed6857f669ceb0296e5480729aafba2e9f
Author: markdoliner at pidgin.im
Date: 2010-02-16T09:02:23
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/d1009efa4da45e8abd8279b454505554627c67c6

Modified files:
        ChangeLog pidgin/gtkimhtml.c

ChangeLog: 

Fix CVE-2010-0423, a denial of service attack due to the parsing
of large numbers of smileys.  (Discovered by Antti Hayrynen)

-------------- next part --------------
============================================================
--- ChangeLog	281226fa9dd8739311f42241fe18d563b8fb57f8
+++ ChangeLog	1ff6b9176e6393f1a50db9360e31ef06dc7d8d08
@@ -27,7 +27,7 @@ version 2.6.6 (02/18/2010):
 
 	MSN:
 	* Fix CVE-2010-0277, a possible remote crash when parsing an incoming
-	  SLP message.  Discovered by Fabian Yamaguchi.
+	  SLP message.  (Discovered by Fabian Yamaguchi)
 	* File transfer requests will no longer cause a crash if you delete the
 	  file before the other side accepts.
 	* Received files will no longer hold an extra lock after completion,
@@ -74,6 +74,8 @@ version 2.6.6 (02/18/2010):
 	  Mohta)
 
 	Pidgin:
+	* Fix CVE-2010-0423, a denial of service attack due to the parsing
+	  of large numbers of smileys.  (Discovered by Antti Hayrynen)
 	* Correctly size conversation and status box entries when the
 	  interior-focus style property is diabled. (Gabriel Schulhof)
 	* Correctly handle a multiline text field being required in a
============================================================
--- pidgin/gtkimhtml.c	831db77ff290965c58cc0fa7f87269cad65e34ab
+++ pidgin/gtkimhtml.c	23a5c248e7f42d44e06d5883ef04fb99359c382e
@@ -2222,21 +2222,6 @@ gtk_smiley_get_image(GtkIMHtmlSmiley *sm
 	return smiley->icon;
 }
 
-static GdkPixbufAnimation *
-gtk_smiley_tree_image (GtkIMHtml     *imhtml,
-		       const gchar   *sml,
-		       const gchar   *text)
-{
-	GtkIMHtmlSmiley *smiley;
-
-	smiley = gtk_imhtml_smiley_get(imhtml,sml,text);
-
-	if (!smiley)
-		return NULL;
-
-	return gtk_smiley_get_image(smiley);
-}
-
 #define VALID_TAG(x)	do { \
 			if (!g_ascii_strncasecmp (string, x ">", strlen (x ">"))) {	\
 				if (tag) *tag = g_strndup (string, strlen (x));		\
@@ -2695,6 +2680,8 @@ void gtk_imhtml_insert_html_at_iter(GtkI
 	ws = g_malloc(len + 1);
 	ws[0] = '\0';
 
+	g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(0));
+
 	gtk_text_buffer_begin_user_action(imhtml->text_buffer);
 	while (pos < len) {
 		if (*c == '<' && gtk_imhtml_is_tag (c + 1, &tag, &tlen, &type)) {
@@ -3547,6 +3534,8 @@ gtk_imhtml_delete(GtkIMHtml *imhtml, Gtk
 	}
 	gtk_text_buffer_delete(imhtml->text_buffer, start, end);
 
+	g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(0));
+
 	g_object_unref(object);
 }
 
@@ -4983,12 +4972,33 @@ void gtk_imhtml_insert_smiley_at_iter(Gt
 	GdkPixbufAnimation *annipixbuf = NULL;
 	GtkWidget *icon = NULL;
 	GtkTextChildAnchor *anchor = NULL;
-	char *unescaped = purple_unescape_html(smiley);
-	GtkIMHtmlSmiley *imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped);
+	char *unescaped;
+	GtkIMHtmlSmiley *imhtml_smiley;
 	GtkWidget *ebox = NULL;
+	int numsmileys_thismsg, numsmileys_total;
 
+	/*
+	 * This GtkIMHtml has the maximum number of smileys allowed, so don't
+	 * add any more.  We do this for performance reasons, because smileys
+	 * are apparently pretty inefficient.  Hopefully we can remove this
+	 * restriction when we're using a better HTML widget.
+	 */
+	numsmileys_thismsg = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg"));
+	if (numsmileys_thismsg >= 30) {
+		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
+		return;
+	}
+	numsmileys_total = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total"));
+	if (numsmileys_total >= 300) {
+		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
+		return;
+	}
+
+	unescaped = purple_unescape_html(smiley);
+	imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped);
+
 	if (imhtml->format_functions & GTK_IMHTML_SMILEY) {
-		annipixbuf = gtk_smiley_tree_image(imhtml, sml, unescaped);
+		annipixbuf = imhtml_smiley ? gtk_smiley_get_image(imhtml_smiley) : NULL;
 		if (annipixbuf) {
 			if (gdk_pixbuf_animation_is_static_image(annipixbuf)) {
 				pixbuf = gdk_pixbuf_animation_get_static_image(annipixbuf);
@@ -5042,6 +5052,9 @@ void gtk_imhtml_insert_smiley_at_iter(Gt
 		if (ebox)
 			gtk_container_add(GTK_CONTAINER(ebox), icon);
 		gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox ? ebox : icon, anchor);
+
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1));
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1));
 	} else if (imhtml_smiley != NULL && (imhtml->format_functions & GTK_IMHTML_SMILEY)) {
 		anchor = gtk_text_buffer_create_child_anchor(imhtml->text_buffer, iter);
 		imhtml_smiley->anchors = g_slist_append(imhtml_smiley->anchors, g_object_ref(anchor));
@@ -5054,6 +5067,9 @@ void gtk_imhtml_insert_smiley_at_iter(Gt
 			g_object_set_data_full(G_OBJECT(anchor), "gtkimhtml_htmltext", g_strdup(smiley), g_free);
 			gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox, anchor);
 		}
+
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1));
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1));
 	} else {
 		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
 	}

More information about the Commits mailing list