latest pidgin slplink.c patch

adc adc at
Sat May 23 22:44:15 EDT 2009

Hi, could someone help me understand CVE-2009-1376?
The previous fix to CVE-2008-2927 <> was
deemed incomplete. The size check improperly casted an uint64 to size_t
which can cause an integer overflow, rendering the check useless.
original patch:

-		if ((offset + len) > slpmsg->size)
+		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)

additional patch:

+-      gsize offset;
++      guint64 offset;

+       gsize len;

Where is the problem exactly? I'm assuming that on a 32-bit machine
G_MAXSIZE should be
max unsigned int (2^32-1) and gsize is an unsigned integer.

If those assumptions are correct, why is this check broken?
G_MAXSIZE - len < offset

In trying to understand definitions I also noticed this in glib for 64-bit
glib/gtypes.h:#define G_MAXUINT64    G_GINT64_CONSTANT(0xffffffffffffffffU)

Should that line be?

glib/gtypes.h:#define G_MAXUINT64    G_GUINT64_CONSTANT(0xffffffffffffffffU)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Devel mailing list