/pidgin/main: 8943e2d16d5a: Merged TALOS-CAN-0139

[Gary Kramlich]

Changeset: 8943e2d16d5a5516e1ff0d5a2340f357b00cc939
Author:	 Gary Kramlich <grim at reaperworld.com>
Date:	 2016-06-12 22:28 -0500
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/8943e2d16d5a

Description:

Merged TALOS-CAN-0139

diffstat:

 ChangeLog                           |  2 ++
 libpurple/protocols/mxit/protocol.c |  6 ++++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diffs (28 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,8 @@ version 2.10.13 (MM/DD/YY):
 	  Talos.  (TALOS-CAN-0142)
 	* Fixed a remote denial of service vulnerability in contact mood
 	  handling.  Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141)
+	* Fixed a remote out-of-bounds write vulnerability.  Discovered by Yves
+	  Younan of Cisco Talos. (TALOS-CAN-0139)
 
 version 2.10.12 (12/31/15):
 	General:
diff --git a/libpurple/protocols/mxit/protocol.c b/libpurple/protocols/mxit/protocol.c
--- a/libpurple/protocols/mxit/protocol.c
+++ b/libpurple/protocols/mxit/protocol.c
@@ -1840,6 +1840,12 @@ static void mxit_parse_cmd_extprofile( s
 	/* set the count for attributes */
 	count = atoi( records[0]->fields[1]->data );
 
+	/* ensure the packet has the correct number of fields */
+	if ( records[0]->fcount < ( 2 + ( count * 3 ) ) ) {
+		purple_debug_error( MXIT_PLUGIN_ID, "Insufficient number of fields in extprofile response. fields=%i records=%i", records[0]->fcount, count );
+		return;
+	}
+
 	for ( i = 0; i < count; i++ ) {
 		char* fname;
 		char* fvalue;