/pidgin/main: 884d566be000: Merge changes from the public pidgin...

Mark Doliner mark at kingant.net
Wed Oct 22 10:20:29 EDT 2014 

Changeset: 884d566be000dbf9042aed7c48412f5b53252aa2
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-07-08 00:00 -0700
Branch:	 default
URL: https://hg.pidgin.im/pidgin/main/rev/884d566be000

Description:

Merge changes from the public pidgin.main default branch into the
private default branch.

No manual changes needed.

diffstat:

 ChangeLog                            |  13 ++++++++
 libpurple/protocols/mxit/markup.c    |  45 ++++++++++++++++++++++----
 libpurple/protocols/novell/nmevent.c |  29 +++++++++--------
 pidgin/win32/untar.c                 |  58 ++++++++++++++---------------------
 4 files changed, 90 insertions(+), 55 deletions(-)

diffs (truncated from 414 to 300 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,9 @@ version 2.10.10 (?/?/?):
 	* Fix loading Google Talk and Facebook XMPP accounts.
 
 	Windows-Specific Changes:
+	* Don't allow overwriting arbitrary files on the file system when the
+	  user installs a smiley theme via drag-and-drop. (Discovered by Yves
+	  Younan of Sourcefire VRT)
 	* Updates to dependencies:
 		* NSS 3.16 and NSPR 4.10.4
 
@@ -83,10 +86,20 @@ version 2.10.10 (?/?/?):
 	Gadu-Gadu:
 	* Updated internal libgadu to version 1.12.0.
 
+	Groupwise:
+	* Fix potential remote crash parsing server message that indicates that
+	  a large amount of memory should be allocated. (Discovered by Yves Younan
+	  and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN)
+
 	IRC:
 	* Fix a possible leak of unencrypted data when using /me command
 	  with OTR. (Thijs Alkemade) (#15750)
 
+	MXit:
+	* Fix potential remote crash parsing a malformed emoticon response.
+	  (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
+	  (CVE-2014-NNNN)
+
 	XMPP:
 	* Fix Facebook XMPP roster quirks. (#15041, #15957)
 
diff --git a/libpurple/protocols/mxit/markup.c b/libpurple/protocols/mxit/markup.c
--- a/libpurple/protocols/mxit/markup.c
+++ b/libpurple/protocols/mxit/markup.c
@@ -165,16 +165,22 @@ void mxit_add_html_link( struct RXMsgDat
  * Extract an ASN.1 formatted length field from the data.
  *
  *  @param data				The source data
+ *  @param data_len			Length of data
  *  @param size				The extracted length
  *  @return					The number of bytes extracted
  */
-static unsigned int asn_getlength( const gchar* data, int* size )
+static unsigned int asn_getlength( const gchar* data, gsize data_len, int* size )
 {
 	unsigned int	len		= 0;
 	unsigned char	bytes;
 	unsigned char	byte;
 	int				i;
 
+	if ( data_len < 1 ) {
+		/* missing first byte! */
+		return -1;
+	}
+
 	/* first byte specifies the number of bytes in the length */
 	bytes = ( data[0] & ~0x80 );
 	if ( bytes > sizeof( unsigned int ) ) {
@@ -183,6 +189,11 @@ static unsigned int asn_getlength( const
 	}
 	data++;
 
+	if ( data_len - 1 < bytes ) {
+		/* missing length! */
+		return -1;
+	}
+
 	/* parse out the actual length */
 	for ( i = 0; i < bytes; i++ ) {
 		byte = data[i];
@@ -199,15 +210,21 @@ static unsigned int asn_getlength( const
  * Extract an ASN.1 formatted UTF-8 string field from the data.
  *
  *  @param data				The source data
+ *  @param data_len			Length of data
  *  @param type				Expected type of string
  *  @param utf8				The extracted string.  Must be deallocated by caller.
  *  @return					The number of bytes extracted
  */
-static int asn_getUtf8( const gchar* data, gchar type, char** utf8 )
+static int asn_getUtf8( const gchar* data, gsize data_len, gchar type, char** utf8 )
 {
 	unsigned int len;
 	gchar *out_str;
 
+	if ( data_len < 2 ) {
+		/* missing type or length! */
+		return -1;
+	}
+
 	/* validate the field type [1 byte] */
 	if ( data[0] != type ) {
 		/* this is not a utf-8 string! */
@@ -216,6 +233,11 @@ static int asn_getUtf8( const gchar* dat
 	}
 
 	len = (guint8)data[1]; /* length field [1 byte] */
+	if ( data_len - 2 < len ) {
+		/* not enough bytes left in data! */
+		return -1;
+	}
+
 	out_str = g_malloc(len + 1);
 	memcpy(out_str, &data[2], len); /* data field */
 	out_str[len] = '\0';
@@ -501,7 +523,7 @@ static void emoticon_returned(PurpleHttp
 #endif
 
 	/* validate that the returned data starts with the magic constant that indicates it is a custom emoticon */
-	if ( memcmp( MXIT_FRAME_MAGIC, &data[pos], strlen( MXIT_FRAME_MAGIC ) ) != 0 ) {
+	if ( len - pos < strlen( MXIT_FRAME_MAGIC ) || memcmp( MXIT_FRAME_MAGIC, &data[pos], strlen( MXIT_FRAME_MAGIC ) ) != 0 ) {
 		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad magic)\n" );
 		goto done;
 	}
@@ -515,7 +537,7 @@ static void emoticon_returned(PurpleHttp
 	pos++;
 
 	/* get the frame image data length */
-	res = asn_getlength( &data[pos], &em_size );
+	res = asn_getlength( &data[pos], len - pos, &em_size );
 	if ( res <= 0 ) {
 		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad frame length)\n" );
 		goto done;
@@ -526,7 +548,7 @@ static void emoticon_returned(PurpleHttp
 #endif
 
 	/* utf-8 (emoticon name) */
-	res = asn_getUtf8( &data[pos], 0x0C, &str );
+	res = asn_getUtf8( &data[pos], len - pos, 0x0C, &str );
 	if ( res <= 0 ) {
 		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad name string)\n" );
 		goto done;
@@ -539,7 +561,7 @@ static void emoticon_returned(PurpleHttp
 	str = NULL;
 
 	/* utf-8 (emoticon shortcut) */
-	res = asn_getUtf8( &data[pos], 0x81, &str );
+	res = asn_getUtf8( &data[pos], len - pos, 0x81, &str );
 	if ( res <= 0 ) {
 		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad shortcut string)\n" );
 		goto done;
@@ -551,7 +573,7 @@ static void emoticon_returned(PurpleHttp
 	em_id = str;
 
 	/* validate the image data type */
-	if ( data[pos] != '\x82' ) {
+	if ( len - pos < 1 || data[pos] != '\x82' ) {
 		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad data type)\n" );
 		g_free( em_id );
 		goto done;
@@ -559,7 +581,7 @@ static void emoticon_returned(PurpleHttp
 	pos++;
 
 	/* get the data length */
-	res = asn_getlength( &data[pos], &em_size );
+	res = asn_getlength( &data[pos], len - pos, &em_size );
 	if ( res <= 0 ) {
 		/* bad frame length */
 		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (bad data length)\n" );
@@ -571,6 +593,13 @@ static void emoticon_returned(PurpleHttp
 	purple_debug_info( MXIT_PLUGIN_ID, "read the length '%i'\n", em_size );
 #endif
 
+	if ( len - pos < em_size ) {
+		/* not enough bytes left in data! */
+		purple_debug_error( MXIT_PLUGIN_ID, "Invalid emoticon received from wapsite (data length too long)\n");
+		g_free( em_id );
+		goto done;
+	}
+
 	/* strip the mxit markup tags from the emoticon id (eg, .{XY} -> XY) */
 	if ( ( em_id[0] == '.' ) && ( em_id[1] == '{' ) ) {
 		char	emo[MXIT_MAX_EMO_ID + 1];
diff --git a/libpurple/protocols/novell/nmevent.c b/libpurple/protocols/novell/nmevent.c
--- a/libpurple/protocols/novell/nmevent.c
+++ b/libpurple/protocols/novell/nmevent.c
@@ -149,7 +149,7 @@ handle_receive_message(NMUser * user, NM
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -164,7 +164,7 @@ handle_receive_message(NMUser * user, NM
 	/* Read the message text */
 	if (rc == NM_OK) {
 		rc = nm_read_uint32(conn, &size);
-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+		if (size > 100000)	return NMERR_PROTOCOL;
 
 		if (rc == NM_OK) {
 			msg = g_new0(char, size + 1);
@@ -270,7 +270,7 @@ handle_conference_invite(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -280,7 +280,7 @@ handle_conference_invite(NMUser * user, 
 	/* Read the the message */
 	if (rc == NM_OK) {
 		rc = nm_read_uint32(conn, &size);
-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+		if (size > 100000)	return NMERR_PROTOCOL;
 
 		if (rc == NM_OK) {
 			msg = g_new0(char, size + 1);
@@ -349,7 +349,7 @@ handle_conference_invite_notify(NMUser *
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -401,7 +401,7 @@ handle_conference_reject(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -440,7 +440,7 @@ handle_conference_left(NMUser * user, NM
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -490,7 +490,7 @@ handle_conference_closed(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -530,7 +530,7 @@ handle_conference_joined(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -589,7 +589,7 @@ handle_typing(NMUser * user, NMEvent * e
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -632,7 +632,7 @@ handle_status_change(NMUser * user, NMEv
 
 		/* Read the status text */
 		rc = nm_read_uint32(conn, &size);
-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+		if (size > 10000)	return NMERR_PROTOCOL;
 
 		if (rc == NM_OK) {
 			text = g_new0(char, size + 1);
@@ -670,7 +670,7 @@ handle_undeliverable_status(NMUser * use
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -833,7 +833,10 @@ nm_process_event(NMUser * user, int type
 	/* Read the event source */
 	rc = nm_read_uint32(conn, &size);
 	if (rc == NM_OK) {
-		if (size > 0) {
+		if (size > 1000000) {
+			/* Size is larger than our 1MB sanity check. Ignore it. */
+			rc = NMERR_PROTOCOL;
+		} else {
 			source = g_new0(char, size);
 
 			rc = nm_read_all(conn, source, size);
diff --git a/pidgin/win32/untar.c b/pidgin/win32/untar.c

More information about the Commits mailing list