/pidgin/main: c96cd4064dd3: Pull changes from ssh://hg at hg.pidgin...
Mark Doliner
mark at kingant.net
Wed Oct 22 10:20:29 EDT 2014
Changeset: c96cd4064dd318378bc837e59cdeddb8d9885e7b
Author: Mark Doliner <mark at kingant.net>
Date: 2014-06-17 23:21 -0700
Branch: default
URL: https://hg.pidgin.im/pidgin/main/rev/c96cd4064dd3
Description:
Pull changes from ssh://hg@hg.pidgin.im/pidgin/main into the private
repo and merge heads.
Easy manual merge: Only conflicts were in ChangeLog.
diffstat:
ChangeLog | 13 ++++++++
libpurple/protocols/mxit/markup.c | 45 ++++++++++++++++++++++----
libpurple/protocols/novell/nmevent.c | 29 +++++++++--------
pidgin/win32/untar.c | 58 ++++++++++++++---------------------
4 files changed, 90 insertions(+), 55 deletions(-)
diffs (truncated from 414 to 300 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,9 @@ version 2.10.10 (?/?/?):
* Fix loading Google Talk and Facebook XMPP accounts.
Windows-Specific Changes:
+ * Don't allow overwriting arbitrary files on the file system when the
+ user installs a smiley theme via drag-and-drop. (Discovered by Yves
+ Younan of Sourcefire VRT)
* Updates to dependencies:
* NSS 3.16 and NSPR 4.10.4
@@ -83,10 +86,20 @@ version 2.10.10 (?/?/?):
Gadu-Gadu:
* Updated internal libgadu to version 1.12.0.
+ Groupwise:
+ * Fix potential remote crash parsing server message that indicates that
+ a large amount of memory should be allocated. (Discovered by Yves Younan
+ and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN)
+
IRC:
* Fix a possible leak of unencrypted data when using /me command
with OTR. (Thijs Alkemade) (#15750)
+ MXit:
+ * Fix potential remote crash parsing a malformed emoticon response.
+ (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
+ (CVE-2014-NNNN)
+
XMPP:
* Fix Facebook XMPP roster quirks. (#15041, #15957)
diff --git a/libpurple/protocols/mxit/markup.c b/libpurple/protocols/mxit/markup.c
--- a/libpurple/protocols/mxit/markup.c
+++ b/libpurple/protocols/mxit/markup.c
@@ -165,16 +165,22 @@ void mxit_add_html_link( struct RXMsgDat
* Extract an ASN.1 formatted length field from the data.
*
* @param data The source data
+ * @param data_len Length of data
* @param size The extracted length
* @return The number of bytes extracted
*/
-static unsigned int asn_getlength( const gchar* data, int* size )
+static unsigned int asn_getlength( const gchar* data, gsize data_len, int* size )
{
unsigned int len = 0;
unsigned char bytes;
unsigned char byte;
int i;
+ if ( data_len < 1 ) {
+ /* missing first byte! */
+ return -1;
+ }
+
/* first byte specifies the number of bytes in the length */
bytes = ( data[0] & ~0x80 );
if ( bytes > sizeof( unsigned int ) ) {
@@ -183,6 +189,11 @@ static unsigned int asn_getlength( const
}
data++;
+ if ( data_len - 1 < bytes ) {
+ /* missing length! */
+ return -1;
+ }
+
/* parse out the actual length */
for ( i = 0; i < bytes; i++ ) {
byte = data[i];
@@ -199,15 +210,21 @@ static unsigned int asn_getlength( const
* Extract an ASN.1 formatted UTF-8 string field from the data.
*
* @param data The source data
+ * @param data_len Length of data
* @param type Expected type of string
* @param utf8 The extracted string. Must be deallocated by caller.
* @return The number of bytes extracted
*/
-static int asn_getUtf8( const gchar* data, gchar type, char** utf8 )
+static int asn_getUtf8( const gchar* data, gsize data_len, gchar type, char** utf8 )
{
unsigned int len;
gchar *out_str;
+ if ( data_len < 2 ) {
+ /* missing type or length! */
+ return -1;
+ }
+
/* validate the field type [1 byte] */
if ( data[0] != type ) {
/* this is not a utf-8 string! */
@@ -216,6 +233,11 @@ static int asn_getUtf8( const gchar* dat
}
len = (guint8)data[1]; /* length field [1 byte] */
+ if ( data_len - 2 < len ) {
+ /* not enough bytes left in data! */
+ return -1;
+ }
+
out_str = g_malloc(len + 1);
memcpy(out_str, &data[2], len); /* data field */
out_str[len] = '\0';
@@ -501,7 +523,7 @@ static void emoticon_returned(PurpleHttp
#endif
/* validate that the returned data starts with the magic constant that indicates it is a custom emoticon */
- if ( memcmp( MXIT_FRAME_MAGIC, &data[pos], strlen( MXIT_FRAME_MAGIC ) ) != 0 ) {
+ if ( len - pos < strlen( MXIT_FRAME_MAGIC ) || memcmp( MXIT_FRAME_MAGIC, &data[pos], strlen( MXIT_FRAME_MAGIC ) ) != 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad magic)\n" );
goto done;
}
@@ -515,7 +537,7 @@ static void emoticon_returned(PurpleHttp
pos++;
/* get the frame image data length */
- res = asn_getlength( &data[pos], &em_size );
+ res = asn_getlength( &data[pos], len - pos, &em_size );
if ( res <= 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad frame length)\n" );
goto done;
@@ -526,7 +548,7 @@ static void emoticon_returned(PurpleHttp
#endif
/* utf-8 (emoticon name) */
- res = asn_getUtf8( &data[pos], 0x0C, &str );
+ res = asn_getUtf8( &data[pos], len - pos, 0x0C, &str );
if ( res <= 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad name string)\n" );
goto done;
@@ -539,7 +561,7 @@ static void emoticon_returned(PurpleHttp
str = NULL;
/* utf-8 (emoticon shortcut) */
- res = asn_getUtf8( &data[pos], 0x81, &str );
+ res = asn_getUtf8( &data[pos], len - pos, 0x81, &str );
if ( res <= 0 ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad shortcut string)\n" );
goto done;
@@ -551,7 +573,7 @@ static void emoticon_returned(PurpleHttp
em_id = str;
/* validate the image data type */
- if ( data[pos] != '\x82' ) {
+ if ( len - pos < 1 || data[pos] != '\x82' ) {
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad data type)\n" );
g_free( em_id );
goto done;
@@ -559,7 +581,7 @@ static void emoticon_returned(PurpleHttp
pos++;
/* get the data length */
- res = asn_getlength( &data[pos], &em_size );
+ res = asn_getlength( &data[pos], len - pos, &em_size );
if ( res <= 0 ) {
/* bad frame length */
purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad data length)\n" );
@@ -571,6 +593,13 @@ static void emoticon_returned(PurpleHttp
purple_debug_info( MXIT_PLUGIN_ID, "read the length '%i'\n", em_size );
#endif
+ if ( len - pos < em_size ) {
+ /* not enough bytes left in data! */
+ purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (data length too long)\n");
+ g_free( em_id );
+ goto done;
+ }
+
/* strip the mxit markup tags from the emoticon id (eg, .{XY} -> XY) */
if ( ( em_id[0] == '.' ) && ( em_id[1] == '{' ) ) {
char emo[MXIT_MAX_EMO_ID + 1];
diff --git a/libpurple/protocols/novell/nmevent.c b/libpurple/protocols/novell/nmevent.c
--- a/libpurple/protocols/novell/nmevent.c
+++ b/libpurple/protocols/novell/nmevent.c
@@ -149,7 +149,7 @@ handle_receive_message(NMUser * user, NM
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -164,7 +164,7 @@ handle_receive_message(NMUser * user, NM
/* Read the message text */
if (rc == NM_OK) {
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 100000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
msg = g_new0(char, size + 1);
@@ -270,7 +270,7 @@ handle_conference_invite(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -280,7 +280,7 @@ handle_conference_invite(NMUser * user,
/* Read the the message */
if (rc == NM_OK) {
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 100000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
msg = g_new0(char, size + 1);
@@ -349,7 +349,7 @@ handle_conference_invite_notify(NMUser *
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -401,7 +401,7 @@ handle_conference_reject(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -440,7 +440,7 @@ handle_conference_left(NMUser * user, NM
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -490,7 +490,7 @@ handle_conference_closed(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -530,7 +530,7 @@ handle_conference_joined(NMUser * user,
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -589,7 +589,7 @@ handle_typing(NMUser * user, NMEvent * e
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -632,7 +632,7 @@ handle_status_change(NMUser * user, NMEv
/* Read the status text */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 10000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
text = g_new0(char, size + 1);
@@ -670,7 +670,7 @@ handle_undeliverable_status(NMUser * use
/* Read the conference guid */
rc = nm_read_uint32(conn, &size);
- if (size == MAX_UINT32) return NMERR_PROTOCOL;
+ if (size > 1000) return NMERR_PROTOCOL;
if (rc == NM_OK) {
guid = g_new0(char, size + 1);
@@ -833,7 +833,10 @@ nm_process_event(NMUser * user, int type
/* Read the event source */
rc = nm_read_uint32(conn, &size);
if (rc == NM_OK) {
- if (size > 0) {
+ if (size > 1000000) {
+ /* Size is larger than our 1MB sanity check. Ignore it. */
+ rc = NMERR_PROTOCOL;
+ } else {
source = g_new0(char, size);
rc = nm_read_all(conn, source, size);
diff --git a/pidgin/win32/untar.c b/pidgin/win32/untar.c
More information about the Commits
mailing list