/pidgin/main: fe36722f772e: Fix non-nul terminated buffer during...

Mark Doliner mark at kingant.net
Tue Jan 28 10:38:09 EST 2014 

Changeset: fe36722f772e402b243faabaff0f544e1021307f
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2013-04-14 13:01 -0700
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/fe36722f772e

Description:

Fix non-nul terminated buffer during oscar direct connect negotiation.
User must have either accepted the direct connect request or initiated it
or order to trigger this.

CID 732103

diffstat:

 libpurple/protocols/oscar/odc.c |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (39 lines):

diff --git a/libpurple/protocols/oscar/odc.c b/libpurple/protocols/oscar/odc.c
--- a/libpurple/protocols/oscar/odc.c
+++ b/libpurple/protocols/oscar/odc.c
@@ -266,7 +266,6 @@ peer_odc_handle_payload(PeerConnection *
 	 * problems while parsing the binary data section then we stop
 	 * parsing it, and the local user will see broken image icons.
 	 */
-	/* TODO: Use a length argument when looking for the <binary> tag! */
 	binary_start = purple_strcasestr(msg, "<binary>");
 	if (binary_start == NULL)
 		msgend = dataend;
@@ -278,7 +277,6 @@ peer_odc_handle_payload(PeerConnection *
 		tmp = binary_start + 8;
 
 		/* The embedded binary markup has a mimimum length of 29 bytes */
-		/* TODO: Use a length argument when looking for the <data> tag! */
 		while ((tmp + 29 <= dataend) &&
 				purple_markup_find_tag("data", tmp, &start, &tmp, &attributes))
 		{
@@ -463,6 +461,10 @@ peer_odc_recv_cb(gpointer data, gint sou
 	if (bs->offset < bs->len)
 		/* Waiting for more data to arrive */
 		return;
+	/* TODO: Instead of null-terminating this, it would be better if we just
+	   respected the length of the buffer when parsing it.  But it doesn't
+	   really matter and this is easy. */
+	bs->data[bs->len] = '\0';
 
 	/* We have a complete ODC/OFT frame!  Handle it and continue reading */
 	byte_stream_rewind(bs);
@@ -612,7 +614,7 @@ peer_odc_recv_frame(PeerConnection *conn
 		}
 
 		/* We have payload data!  Switch to the ODC watcher to read it. */
-		frame->payload.data = g_new(guint8, frame->payload.len);
+		frame->payload.data = g_new(guint8, frame->payload.len + 1);
 		frame->payload.offset = 0;
 		conn->frame = frame;
 		purple_input_remove(conn->watcher_incoming);

More information about the Commits mailing list