/pidgin/main: 6bd2dd10e5da: Simple: fix a possible NULL-pointer ...
Tomasz Wasilczyk
twasilczyk at pidgin.im
Tue Jan 28 10:38:10 EST 2014
Changeset: 6bd2dd10e5da801110f9869c30ce115355e5453d
Author: Tomasz Wasilczyk <twasilczyk at pidgin.im>
Date: 2014-01-10 17:12 +0100
Branch: release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/6bd2dd10e5da
Description:
Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004
diffstat:
libpurple/protocols/simple/simple.c | 2 +-
libpurple/protocols/simple/sipmsg.c | 5 +++++
2 files changed, 6 insertions(+), 1 deletions(-)
diffs (27 lines):
diff --git a/libpurple/protocols/simple/simple.c b/libpurple/protocols/simple/simple.c
--- a/libpurple/protocols/simple/simple.c
+++ b/libpurple/protocols/simple/simple.c
@@ -1640,7 +1640,7 @@ static void process_input(struct simple_
cur += 2;
restlen = conn->inbufused - (cur - conn->inbuf);
if(restlen >= msg->bodylen) {
- dummy = g_malloc(msg->bodylen + 1);
+ dummy = g_new(char, msg->bodylen + 1);
memcpy(dummy, cur, msg->bodylen);
dummy[msg->bodylen] = '\0';
msg->body = dummy;
diff --git a/libpurple/protocols/simple/sipmsg.c b/libpurple/protocols/simple/sipmsg.c
--- a/libpurple/protocols/simple/sipmsg.c
+++ b/libpurple/protocols/simple/sipmsg.c
@@ -114,6 +114,11 @@ struct sipmsg *sipmsg_parse_header(const
tmp2 = sipmsg_find_header(msg, "Content-Length");
if (tmp2 != NULL)
msg->bodylen = strtol(tmp2, NULL, 10);
+ if (msg->bodylen < 0) {
+ purple_debug_warning("simple", "Invalid body length: %d",
+ msg->bodylen);
+ msg->bodylen = 0;
+ }
if(msg->response) {
tmp2 = sipmsg_find_header(msg, "CSeq");
More information about the Commits
mailing list