/pidgin/main: ea46ab68f0dc: Fix a possible information leak when...

[Mark Doliner]

Changeset: ea46ab68f0dc5286e8b3c5620fe31898c769caff
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-10-13 23:47 -0700
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/ea46ab68f0dc

Description:

Fix a possible information leak when preping XMPP JIDs.

Discovered and fixed by Thijs Alkemade and Paul Aurich and reported
to us privately on our security at pidgin.im mailing list.

diffstat:

 ChangeLog                          |  5 +++++
 libpurple/protocols/jabber/jutil.c |  6 ++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diffs (40 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -45,6 +45,11 @@ version 2.10.10 (10/22/14):
 	  (CVE-2014-NNNN)
 
 	XMPP:
+	* Fix potential information leak where a malicious XMPP server and
+	  possibly even a malicious remote user could create a carefully crafted
+	  XMPP message that causes libpurple to send an XMPP message containing
+	  arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul
+	  Aurich) (CVE-2014-NNNN)
 	* Fix Facebook XMPP roster quirks. (#15041, #15957)
 
 	Yahoo:
diff --git a/libpurple/protocols/jabber/jutil.c b/libpurple/protocols/jabber/jutil.c
--- a/libpurple/protocols/jabber/jutil.c
+++ b/libpurple/protocols/jabber/jutil.c
@@ -81,10 +81,10 @@ jabber_idn_validate(const char *str, con
 
 		if (slash) {
 			domain_len = slash - str;
-			resource = slash;
+			resource = slash + 1;
 			resource_len = null - (slash + 1);
 		} else {
-			domain_len = null - (str + 1);
+			domain_len = null - str;
 		}
 	}
 
@@ -126,6 +126,8 @@ jabber_idn_validate(const char *str, con
 			jid = NULL;
 			goto out;
 		}
+
+		jid->domain = g_strndup(domain, domain_len);
 	} else {
 		/* Apply nameprep */
 		if (stringprep_nameprep(idn_buffer, sizeof(idn_buffer)) != STRINGPREP_OK) {