pidgin: 7e159eaa: Fix a crash bug in oscar related to tryi...
markdoliner at pidgin.im
markdoliner at pidgin.im
Tue Jul 20 23:36:19 EDT 2010
----------------------------------------------------------------------
Revision: 7e159eaa14b0041fcc3ee5783cd1e4f2d039a1a1
Parent: 8e8ff246492e45af8f8d0808296d6f2906794dc0
Author: markdoliner at pidgin.im
Date: 07/20/10 22:57:51
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/7e159eaa14b0041fcc3ee5783cd1e4f2d039a1a1
Changelog:
Fix a crash bug in oscar related to trying to allocate too much memory.
This was reported to our security mailing list by Jan Kaluza The Great.
I honestly couldn't figure out how to repro this crash, so I've been
considering it as not a remote-crash security problem, so I chose to
skip the CVE process for this.
Changes against parent 8e8ff246492e45af8f8d0808296d6f2906794dc0
patched libpurple/protocols/oscar/oscar.c
-------------- next part --------------
============================================================
--- libpurple/protocols/oscar/oscar.c d686e17a2818f4ebdc129959a65532808a727af1
+++ libpurple/protocols/oscar/oscar.c 4b8fce6e8b2d31a97ab97ded4d384a8227b066ba
@@ -3028,12 +3028,23 @@ incomingim_chan4(OscarData *od, FlapConn
if (smstype != 0)
break;
taglen = byte_stream_getle32(&qbs);
+ if (taglen > 2000) {
+ /* Avoid trying to allocate large amounts of memory, in
+ case we get something unexpected. */
+ break;
+ }
tagstr = byte_stream_getstr(&qbs, taglen);
if (tagstr == NULL)
break;
byte_stream_advance(&qbs, 3);
byte_stream_advance(&qbs, 4);
smslen = byte_stream_getle32(&qbs);
+ if (smslen > 2000) {
+ /* Avoid trying to allocate large amounts of memory, in
+ case we get something unexpected. */
+ g_free(tagstr);
+ break;
+ }
smsmsg = byte_stream_getstr(&qbs, smslen);
/* Check if this is an SMS being sent from server */
More information about the Commits
mailing list