/pidgin/main: df4d0ab7eaae: facebook-json: fixed a size overflow...

James Geboski jgeboski at gmail.com
Mon Dec 21 16:38:17 EST 2015


Changeset: df4d0ab7eaae8edcc5f1bc8fbfcd50d319586f74
Author:	 James Geboski <jgeboski at gmail.com>
Date:	 2015-12-21 16:35 -0500
Branch:	 default
URL: https://hg.pidgin.im/pidgin/main/rev/df4d0ab7eaae

Description:

facebook-json: fixed a size overflow with string duplication

Unlike json_parser_load_from_data(), g_strndup() will not handle signed
sizes that are negative. This causes the size to overflow to a really
large value, and in turn lead to a segmentation fault.

The solution is simple: calculate the size of the data when the given
size is negative.

This bug was introduced by 7f8a2f301a82.

diffstat:

 libpurple/protocols/facebook/json.c |  7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diffs (19 lines):

diff --git a/libpurple/protocols/facebook/json.c b/libpurple/protocols/facebook/json.c
--- a/libpurple/protocols/facebook/json.c
+++ b/libpurple/protocols/facebook/json.c
@@ -262,9 +262,14 @@ fb_json_node_new(const gchar *data, gssi
 	JsonNode *root;
 	JsonParser *prsr;
 
+	g_return_val_if_fail(data != NULL, NULL);
+
+	if (size < 0) {
+		size = strlen(data);
+	}
+
 	/* Ensure data is null terminated for json-glib < 1.0.2 */
 	slice = g_strndup(data, size);
-
 	prsr = json_parser_new();
 
 	if (!json_parser_load_from_data(prsr, slice, size, error)) {



More information about the Commits mailing list