/pidgin/main: c9e5aba2dafd: Correct HTTP chunked transfers code ...

[Tomasz Wasilczyk]

Changeset: c9e5aba2dafdd7b94c2e9385f1be4b6461bc0707
Author:	 Tomasz Wasilczyk <tomkiewicz at cpw.pidgin.im>
Date:	 2013-08-20 17:36 +0200
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/c9e5aba2dafd

Description:

Correct HTTP chunked transfers code (not fixed in rev ebe3fb4a3bc2)

diffstat:

 libpurple/util.c |  7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diffs (35 lines):

diff --git a/libpurple/util.c b/libpurple/util.c
--- a/libpurple/util.c
+++ b/libpurple/util.c
@@ -37,6 +37,8 @@
    specified a length) */
 #define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
 
+#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
+
 struct _PurpleUtilFetchUrlData
 {
 	PurpleUtilFetchUrlCallback callback;
@@ -3781,11 +3783,12 @@ process_chunked_data(char *data, gsize *
 			break;
 		s += 2;
 
-		if (s + sz > data + *len) {
+		if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
 			purple_debug_error("util", "Error processing chunked data: "
 					"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
 					"than the data remaining in the buffer (%"
 					G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
+			break;
 		}
 
 		/* Move all data overtop of the chunk length that we read in earlier */
@@ -3793,7 +3796,7 @@ process_chunked_data(char *data, gsize *
 		p += sz;
 		s += sz;
 		newlen += sz;
-		if (*s != '\r' && *(s + 1) != '\n') {
+		if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
 			purple_debug_error("util", "Error processing chunked data: "
 					"Expected \\r\\n, found: %s\n", s);
 			break;