/pidgin/main: 1a892845935f: Merge TALOS-CAN-0119

[Gary Kramlich]

Changeset: 1a892845935f87166c89d05221790633c9c546d1
Author:	 Gary Kramlich <grim at reaperworld.com>
Date:	 2016-06-12 22:06 -0500
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/1a892845935f

Description:

Merge TALOS-CAN-0119

diffstat:

 ChangeLog                       |  2 ++
 libpurple/protocols/mxit/http.c |  6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diffs (36 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,8 @@ version 2.10.13 (MM/DD/YY):
 	  Talos.  (TALOS-CAN-0138, TALOS-CAN-0135)
 	* Fixed an invalid read.  Discovered by Yves Younan of Cisco Talos
 	  (TALOS-CAN-0118)
+	* Fixed a remote buffer overflow vulnerability.  Discovered by Yves
+	  Younan of Cisco Talos.  (TALOS-CAN-0119)
 
 version 2.10.12 (12/31/15):
 	General:
diff --git a/libpurple/protocols/mxit/http.c b/libpurple/protocols/mxit/http.c
--- a/libpurple/protocols/mxit/http.c
+++ b/libpurple/protocols/mxit/http.c
@@ -97,9 +97,9 @@ static void mxit_cb_http_read( gpointer 
 {
 	struct MXitSession*	session		= (struct MXitSession*) user_data;
 	char				buf[256];
-	int					buflen;
+	unsigned int		buflen;
 	char*				body;
-	int					bodylen;
+	unsigned int		bodylen;
 	char*				ch;
 	int					len;
 	char*				tmp;
@@ -182,7 +182,7 @@ nextpacket:
 			goto done;
 		}
 		tmp = g_strndup( ch, tmp - ch );
-		bodylen = atoi( tmp );
+		bodylen = strtoul( tmp, NULL, 10 );
 		g_free( tmp );
 		tmp = NULL;