/pidgin/main: 406382495c37: Merged TALOS-CAN-0134

Gary Kramlich grim at reaperworld.com
Mon Jun 20 20:09:59 EDT 2016 

Changeset: 406382495c37c49208be83d7d4c7a4921536c4a8
Author:	 Gary Kramlich <grim at reaperworld.com>
Date:	 2016-06-12 22:13 -0500
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/406382495c37

Description:

Merged TALOS-CAN-0134

diffstat:

 ChangeLog                           |   2 ++
 libpurple/protocols/mxit/formcmds.c |  12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diffs (49 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,8 @@ version 2.10.13 (MM/DD/YY):
 	* Fixed a remote denial of service vulnerability that could result in
 	  a null pointer dereference.  Discovered by Yves Younan of Cisco Talos.
 	  (TALOS-CAN-0133)
+	* Fixed a remote denial of service that could result in an out-of-bounds
+	  read.  Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0134)
 
 version 2.10.12 (12/31/15):
 	General:
diff --git a/libpurple/protocols/mxit/formcmds.c b/libpurple/protocols/mxit/formcmds.c
--- a/libpurple/protocols/mxit/formcmds.c
+++ b/libpurple/protocols/mxit/formcmds.c
@@ -522,9 +522,9 @@ static void command_table(struct RXMsgDa
 	const char* tmp;
 	const char* name;
 	int mode;
-	int nr_columns = 0, nr_rows = 0;
+	unsigned int nr_columns = 0, nr_rows = 0;
 	gchar** coldata;
-	int i, j;
+	unsigned int i, j;
 
 	/* table name */
 	name = g_hash_table_lookup(hash, "nm");
@@ -550,6 +550,12 @@ static void command_table(struct RXMsgDa
 
 	coldata = g_strsplit(tmp, "~", 0);			/* split into entries for each row & column */
 
+	if (g_strv_length(coldata) != (nr_rows * nr_columns)) {
+		purple_debug_info(MXIT_PLUGIN_ID, "Invalid table data: cols=%i rows=%i\n", nr_columns, nr_rows);
+		g_strfreev(coldata);
+		return;
+	}
+
 	purple_debug_info(MXIT_PLUGIN_ID, "Table %s from %s: [cols=%i rows=%i mode=%i]\n", name, mx->from, nr_columns, nr_rows, mode);
 
 	for (i = 0; i < nr_rows; i++) {
@@ -557,6 +563,8 @@ static void command_table(struct RXMsgDa
 			purple_debug_info(MXIT_PLUGIN_ID, " Row %i Column %i = %s\n", i, j, coldata[i*nr_columns + j]);
 		}
 	}
+
+	g_strfreev(coldata);
 }

More information about the Commits mailing list