/pidgin/main: 23cbfff68a0c: msn: Fix NUL-pointer deref issue par...

[Daniel Atallah]

Changeset: 23cbfff68a0c1d1201cc46e0efbd7fe722ab31a4
Author:	 Daniel Atallah <datallah at pidgin.im>
Date:	 2013-03-16 14:17 -0400
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/23cbfff68a0c

Description:

msn: Fix NUL-pointer deref issue parsing Message Headers

 * Thanks to Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen

diffstat:

 libpurple/protocols/msn/msg.c |  19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)

diffs (50 lines):

diff --git a/libpurple/protocols/msn/msg.c b/libpurple/protocols/msn/msg.c
--- a/libpurple/protocols/msn/msg.c
+++ b/libpurple/protocols/msn/msg.c
@@ -178,6 +178,8 @@ msn_message_parse_payload(MsnMessage *ms
 		g_free(tmp_base);
 		g_return_if_reached();
 	}
+
+	/* NUL-terminate the end of the headers - it'll get skipped over below */
 	*end = '\0';
 
 	/* Split the headers and parse each one */
@@ -195,10 +197,12 @@ msn_message_parse_payload(MsnMessage *ms
 
 			/* The only one I care about is 'boundary' (which is folded from
 			   the key 'Content-Type'), so only process that. */
-			if (!strcmp(key, "boundary")) {
+			if (!strcmp(key, "boundary") && value) {
 				char *end = strchr(value, '\"');
-				*end = '\0';
-				msn_message_set_header(msg, key, value);
+				if (end) {
+					*end = '\0';
+					msn_message_set_header(msg, key, value);
+				}
 			}
 
 			g_strfreev(tokens);
@@ -210,18 +214,15 @@ msn_message_parse_payload(MsnMessage *ms
 		key = tokens[0];
 		value = tokens[1];
 
-		/*if not MIME content ,then return*/
 		if (!strcmp(key, "MIME-Version"))
 		{
-			g_strfreev(tokens);
-			continue;
+			/* Ignore MIME-Version header */
 		}
-
-		if (!strcmp(key, "Content-Type"))
+		else if (!strcmp(key, "Content-Type"))
 		{
 			char *charset, *c;
 
-			if ((c = strchr(value, ';')) != NULL)
+			if (value && (c = strchr(value, ';')) != NULL)
 			{
 				if ((charset = strchr(c, '=')) != NULL)
 				{