/pidgin/main: 2ba646d2f879: Merged TALOS-CAN-0133

Gary Kramlich grim at reaperworld.com
Mon Jun 20 20:09:59 EDT 2016


Changeset: 2ba646d2f87902df4736c7f0ad8bfa3d89426d79
Author:	 Gary Kramlich <grim at reaperworld.com>
Date:	 2016-06-12 22:11 -0500
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/2ba646d2f879

Description:

Merged TALOS-CAN-0133

diffstat:

 ChangeLog                           |   3 +++
 libpurple/protocols/mxit/formcmds.c |  20 ++++++++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

diffs (73 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,9 @@ version 2.10.13 (MM/DD/YY):
 	  (TALOS-CAN-0123)
 	* Fixed a directory traversal issue.  Discovered by Yves Younan of Cisco
 	  Talos (TALOS-CAN-0128)
+	* Fixed a remote denial of service vulnerability that could result in
+	  a null pointer dereference.  Discovered by Yves Younan of Cisco Talos.
+	  (TALOS-CAN-0133)
 
 version 2.10.12 (12/31/15):
 	General:
diff --git a/libpurple/protocols/mxit/formcmds.c b/libpurple/protocols/mxit/formcmds.c
--- a/libpurple/protocols/mxit/formcmds.c
+++ b/libpurple/protocols/mxit/formcmds.c
@@ -395,6 +395,9 @@ static void command_imagestrip(struct MX
 	/* validator */
 	validator = g_hash_table_lookup(hash, "v");
 
+	if (!name || !validator)
+		return;
+
 	/* image data */
 	tmp = g_hash_table_lookup(hash, "dat");
 	if (tmp) {
@@ -430,13 +433,13 @@ static void command_imagestrip(struct MX
 	}
 
 	tmp = g_hash_table_lookup(hash, "fw");
-	width = atoi(tmp);
+	width = (tmp ? atoi(tmp) : 0);
 
 	tmp = g_hash_table_lookup(hash, "fh");
-	height = atoi(tmp);
+	height = (tmp ? atoi(tmp) : 0);
 
 	tmp = g_hash_table_lookup(hash, "layer");
-	layer = atoi(tmp);
+	layer = (tmp ? atoi(tmp) : 0);
 
 	purple_debug_info(MXIT_PLUGIN_ID, "ImageStrip %s from %s: [w=%i h=%i l=%i validator=%s]\n", name, from, width, height, layer, validator);
 }
@@ -525,21 +528,26 @@ static void command_table(struct RXMsgDa
 
 	/* table name */
 	name = g_hash_table_lookup(hash, "nm");
+	if (!name)
+		return;
 
 	/* number of columns */
 	tmp = g_hash_table_lookup(hash, "col");
-	nr_columns = atoi(tmp);
+	nr_columns = (tmp ? atoi(tmp) : 0);
 
 	/* number of rows */
 	tmp = g_hash_table_lookup(hash, "row");
-	nr_rows = atoi(tmp);
+	nr_rows = (tmp ? atoi(tmp) : 0);
 
 	/* mode */
 	tmp = g_hash_table_lookup(hash, "mode");
-	mode = atoi(tmp);
+	mode = (tmp ? atoi(tmp) : 0);
 
 	/* table data */
 	tmp = g_hash_table_lookup(hash, "d");
+	if (!tmp)
+		tmp = "";
+
 	coldata = g_strsplit(tmp, "~", 0);			/* split into entries for each row & column */
 
 	purple_debug_info(MXIT_PLUGIN_ID, "Table %s from %s: [cols=%i rows=%i mode=%i]\n", name, mx->from, nr_columns, nr_rows, mode);



More information about the Commits mailing list