/pidgin/main: 852014ae74a0: Fix a remotely-triggerable null poin...

Tue Jan 28 10:38:13 EST 2014

Changeset: 852014ae74a00df470c5e34057b9cc182a8a4750
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-01-18 09:01 -0800
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/852014ae74a0

Description:

Fix a remotely-triggerable null pointer dereference.

diffstat:

 ChangeLog                |   2 ++
 libpurple/conversation.c |   8 ++++++++
 libpurple/log.c          |   8 ++++----
 libpurple/server.c       |  16 ++++++++++++++++
 4 files changed, 30 insertions(+), 4 deletions(-)

diffs (90 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -95,6 +95,8 @@ version 2.10.8:
 	  matches the 'to' address of the iq request. (Discovered by Fabian
 	  Yamaguchi and Christian Wressnegger of the University of Goettingen)
 	  (CVE-2013-6483)
+	* Fix crash on some systems when receiving fake delay timestamps with
+	  extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
 	* Fix possible crash or other erratic behavior when selecting a very
 	  small file for your own buddy icon.
 	* Fix crash if the user tries to initiate a voice/video session with a
diff --git a/libpurple/conversation.c b/libpurple/conversation.c
--- a/libpurple/conversation.c
+++ b/libpurple/conversation.c
@@ -1551,6 +1551,14 @@ purple_conv_chat_write(PurpleConvChat *c
 	if (purple_conv_chat_is_user_ignored(chat, who))
 		return;
 
+	if (mtime < 0) {
+		purple_debug_error("conversation",
+				"purple_conv_chat_write ignoring negative timestamp\n");
+		/* TODO: Would be more appropriate to use a value that indicates
+		   that the timestamp is unknown, and surface that in the UI. */
+		mtime = time(NULL);
+	}
+
 	if (!(flags & PURPLE_MESSAGE_WHISPER)) {
 		const char *str;
 
diff --git a/libpurple/log.c b/libpurple/log.c
--- a/libpurple/log.c
+++ b/libpurple/log.c
@@ -753,7 +753,7 @@ static char *log_get_timestamp(PurpleLog
 {
 	gboolean show_date;
 	char *date;
-	struct tm tm;
+	struct tm *tm;
 
 	show_date = (log->type == PURPLE_LOG_SYSTEM) || (time(NULL) > when + 20*60);
 
@@ -763,11 +763,11 @@ static char *log_get_timestamp(PurpleLog
 	if (date != NULL)
 		return date;
 
-	tm = *(localtime(&when));
+	tm = localtime(&when);
 	if (show_date)
-		return g_strdup(purple_date_format_long(&tm));
+		return g_strdup(purple_date_format_long(tm));
 	else
-		return g_strdup(purple_time_format(&tm));
+		return g_strdup(purple_time_format(tm));
 }
 
 /* NOTE: This can return msg (which you may or may not want to g_free())
diff --git a/libpurple/server.c b/libpurple/server.c
--- a/libpurple/server.c
+++ b/libpurple/server.c
@@ -567,6 +567,14 @@ void serv_got_im(PurpleConnection *gc, c
 
 	account  = purple_connection_get_account(gc);
 
+	if (mtime < 0) {
+		purple_debug_error("server",
+				"serv_got_im ignoring negative timestamp\n");
+		/* TODO: Would be more appropriate to use a value that indicates
+		   that the timestamp is unknown, and surface that in the UI. */
+		mtime = time(NULL);
+	}
+
 	/*
 	 * XXX: Should we be setting this here, or relying on prpls to set it?
 	 */
@@ -905,6 +913,14 @@ void serv_got_chat_in(PurpleConnection *
 	g_return_if_fail(who != NULL);
 	g_return_if_fail(message != NULL);
 
+	if (mtime < 0) {
+		purple_debug_error("server",
+				"serv_got_chat_in ignoring negative timestamp\n");
+		/* TODO: Would be more appropriate to use a value that indicates
+		   that the timestamp is unknown, and surface that in the UI. */
+		mtime = time(NULL);
+	}
+
 	for (bcs = g->buddy_chats; bcs != NULL; bcs = bcs->next) {
 		conv = (PurpleConversation *)bcs->data;
 

