/pidgin/main: be8209a19937: Merge pidgin/main branch release-2.x...
Mark Doliner
mark at kingant.net
Wed Oct 22 10:20:26 EDT 2014
Changeset: be8209a19937b4d5b096dc549a69bfbb60651483
Author: Mark Doliner <mark at kingant.net>
Date: 2014-05-04 14:33 -0700
Branch: release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/be8209a19937
Description:
Merge pidgin/main branch release-2.x.y into private/main branch release-2.x.y.
Only one file with conflicts: ChangeLog.
diffstat:
ChangeLog | 13 ++++++++
libpurple/protocols/mxit/markup.c | 45 ++++++++++++++++++++++----
libpurple/protocols/novell/nmevent.c | 29 +++++++++--------
pidgin/win32/untar.c | 58 ++++++++++++++---------------------
4 files changed, 90 insertions(+), 55 deletions(-)
diffs (truncated from 414 to 300 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@ version 2.10.10 (?/?/?):
* Fix loading Google Talk and Facebook XMPP accounts.
Windows-Specific Changes:
+ * Don't allow overwriting arbitrary files on the file system when the
+ user installs a smiley theme via drag-and-drop. (Discovered by Yves
+ Younan of Sourcefire VRT)
* Updates to dependencies:
* NSS 3.16 and NSPR 4.10.4
@@ -15,10 +18,20 @@ version 2.10.10 (?/?/?):
Gadu-Gadu:
* Updated internal libgadu to version 1.12.0-rc2.
+ Groupwise:
+ * Fix potential remote crash parsing server message that indicates that
+ a large amount of memory should be allocated. (Discovered by Yves Younan
+ and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN)
+
IRC:
* Fix a possible leak of unencrypted data when using /me command
with OTR. (Thijs Alkemade) (#15750)
+ MXit:
+ * Fix potential remote crash parsing a malformed emoticon response.
+ (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
+ (CVE-2014-NNNN)
+
version 2.10.9 (2/2/2014):
XMPP:
* Fix problems logging into some servers including jabber.org and
diff --git a/libpurple/protocols/mxit/markup.c b/libpurple/protocols/mxit/markup.c
--- a/libpurple/protocols/mxit/markup.c
+++ b/libpurple/protocols/mxit/markup.c
@@ -163,16 +163,22 @@ void mxit_add_html_link( struct RXMsgDat
* Extract an ASN.1 formatted length field from the data.
*
* @param data The source data
+ * @param data_len Length of data
* @param size The extracted length
* @return The number of bytes extracted
*/
-static unsigned int asn_getlength( const gchar* data, int* size )
+static unsigned int asn_getlength( const gchar* data, gsize data_len, int* size )
{
unsigned int len = 0;
unsigned char bytes;
unsigned char byte;
int i;
+ if ( data_len < 1 ) {
+ /* missing first byte! */
+ return -1;
+ }
+
/* first byte specifies the number of bytes in the length */
bytes = ( data[0] & ~0x80 );
if ( bytes > sizeof( unsigned int ) ) {
@@ -181,6 +187,11 @@ static unsigned int asn_getlength( const
}
data++;
+ if ( data_len - 1 < bytes ) {
+ /* missing length! */
+ return -1;
+ }
+
/* parse out the actual length */
for ( i = 0; i < bytes; i++ ) {
byte = data[i];
@@ -197,15 +208,21 @@ static unsigned int asn_getlength( const
* Extract an ASN.1 formatted UTF-8 string field from the data.
*
* @param data The source data
+ * @param data_len Length of data
* @param type Expected type of string
* @param utf8 The extracted string. Must be deallocated by caller.
* @return The number of bytes extracted
*/
-static int asn_getUtf8( const gchar* data, gchar type, char** utf8 )
+static int asn_getUtf8( const gchar* data, gsize data_len, gchar type, char** utf8 )
{
unsigned int len;
gchar *out_str;
+ if ( data_len < 2 ) {
+ /* missing type or length! */
+ return -1;
+ }
+
/* validate the field type [1 byte] */
if ( data[0] != type ) {
/* this is not a utf-8 string! */
@@ -214,6 +231,11 @@ static int asn_getUtf8( const gchar* dat
}
len = (guint8)data[1]; /* length field [1 byte] */
+ if ( data_len - 2 < len ) {
+ /* not enough bytes left in data! */
+ return -1;
+ }
+
out_str = g_malloc(len + 1);
memcpy(out_str, &data[2], len); /* data field */
out_str[len] = '\0';
@@ -500,7 +522,7 @@ static void emoticon_returned( PurpleUti
#endif
/* validate that the returned data starts with the magic constant that indicates it is a custom emoticon */
- if ( memcmp( MXIT_FRAME_MAGIC, &data[pos], strlen( MXIT_FRAME_MAGIC ) ) != 0 ) {
+ if ( len - pos < strlen( MXIT_FRAME_MAGIC ) || memcmp( MXIT_FRAME_MAGIC, &data[pos], strlen( MXIT_FRAME_MAGIC ) ) != 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad magic)\n" );
goto done;
}
@@ -514,7 +536,7 @@ static void emoticon_returned( PurpleUti
pos++;
/* get the frame image data length */
- res = asn_getlength( &data[pos], &em_size );
+ res = asn_getlength( &data[pos], len - pos, &em_size );
if ( res <= 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad frame length)\n" );
goto done;
@@ -525,7 +547,7 @@ static void emoticon_returned( PurpleUti
#endif
/* utf-8 (emoticon name) */
- res = asn_getUtf8( &data[pos], 0x0C, &str );
+ res = asn_getUtf8( &data[pos], len - pos, 0x0C, &str );
if ( res <= 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad name string)\n" );
goto done;
@@ -538,7 +560,7 @@ static void emoticon_returned( PurpleUti
str = NULL;
/* utf-8 (emoticon shortcut) */
- res = asn_getUtf8( &data[pos], 0x81, &str );
+ res = asn_getUtf8( &data[pos], len - pos, 0x81, &str );
if ( res <= 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad shortcut string)\n" );
goto done;
@@ -550,7 +572,7 @@ static void emoticon_returned( PurpleUti
em_id = str;
/* validate the image data type */
- if ( data[pos] != '\x82' ) {
+ if ( len - pos < 1 || data[pos] != '\x82' ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad data type)\n" );
g_free( em_id );
goto done;
@@ -558,7 +580,7 @@ static void emoticon_returned( PurpleUti
pos++;
/* get the data length */
- res = asn_getlength( &data[pos], &em_size );
+ res = asn_getlength( &data[pos], len - pos, &em_size );
if ( res <= 0 ) {
/* bad frame length */
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad data length)\n" );
@@ -570,6 +592,13 @@ static void emoticon_returned( PurpleUti
purple_debug_info( MXIT_PLUGIN_ID, "read the length '%i'\n", em_size );
#endif
+ if ( len - pos < em_size ) {
+ /* not enough bytes left in data! */
+ purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (data length too long)\n");
+ g_free( em_id );
+ goto done;
+ }
+
/* strip the mxit markup tags from the emoticon id (eg, .{XY} -> XY) */
if ( ( em_id[0] == '.' ) && ( em_id[1] == '{' ) ) {
char emo[MXIT_MAX_EMO_ID + 1];
diff --git a/libpurple/protocols/novell/nmevent.c b/libpurple/protocols/novell/nmevent.c
--- a/libpurple/protocols/novell/nmevent.c
+++ b/libpurple/protocols/novell/nmevent.c
@@ -149,7 +149,7 @@ handle_receive_message(NMUser * user, NM
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -164,7 +164,7 @@ handle_receive_message(NMUser * user, NM
/* Read the message text */
if (rc == NM_OK) {
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 100000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
msg = g_new0(char, size + 1);
@@ -270,7 +270,7 @@ handle_conference_invite(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -280,7 +280,7 @@ handle_conference_invite(NMUser * user,
/* Read the the message */
if (rc == NM_OK) {
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 100000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
msg = g_new0(char, size + 1);
@@ -349,7 +349,7 @@ handle_conference_invite_notify(NMUser *
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -401,7 +401,7 @@ handle_conference_reject(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -440,7 +440,7 @@ handle_conference_left(NMUser * user, NM
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -490,7 +490,7 @@ handle_conference_closed(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -530,7 +530,7 @@ handle_conference_joined(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -589,7 +589,7 @@ handle_typing(NMUser * user, NMEvent * e
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -632,7 +632,7 @@ handle_status_change(NMUser * user, NMEv
/* Read the status text */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 10000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
text = g_new0(char, size + 1);
@@ -670,7 +670,7 @@ handle_undeliverable_status(NMUser * use
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -833,7 +833,10 @@ nm_process_event(NMUser * user, int type
/* Read the event source */
rc = nm_read_uint32(conn, &size);
if (rc == NM_OK) {
- if (size > 0) {
+ if (size > 1000000) {
+ /* Size is larger than our 1MB sanity check. Ignore it. */
+ rc = NMERR_PROTOCOL;
+ } else {
source = g_new0(char, size);
rc = nm_read_all(conn, source, size);
diff --git a/pidgin/win32/untar.c b/pidgin/win32/untar.c
More information about the Commits
mailing list