/pidgin/main: df4d0ab7eaae: facebook-json: fixed a size overflow...
James Geboski
jgeboski at gmail.com
Mon Dec 21 16:38:17 EST 2015
Changeset: df4d0ab7eaae8edcc5f1bc8fbfcd50d319586f74
Author: James Geboski <jgeboski at gmail.com>
Date: 2015-12-21 16:35 -0500
Branch: default
URL: https://hg.pidgin.im/pidgin/main/rev/df4d0ab7eaae
Description:
facebook-json: fixed a size overflow with string duplication
Unlike json_parser_load_from_data(), g_strndup() will not handle signed
sizes that are negative. This causes the size to overflow to a really
large value, and in turn lead to a segmentation fault.
The solution is simple: calculate the size of the data when the given
size is negative.
This bug was introduced by 7f8a2f301a82.
diffstat:
libpurple/protocols/facebook/json.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diffs (19 lines):
diff --git a/libpurple/protocols/facebook/json.c b/libpurple/protocols/facebook/json.c
--- a/libpurple/protocols/facebook/json.c
+++ b/libpurple/protocols/facebook/json.c
@@ -262,9 +262,14 @@ fb_json_node_new(const gchar *data, gssi
JsonNode *root;
JsonParser *prsr;
+ g_return_val_if_fail(data != NULL, NULL);
+
+ if (size < 0) {
+ size = strlen(data);
+ }
+
/* Ensure data is null terminated for json-glib < 1.0.2 */
slice = g_strndup(data, size);
-
prsr = json_parser_new();
if (!json_parser_load_from_data(prsr, slice, size, error)) {
More information about the Commits
mailing list