latest pidgin slplink.c patch

adc adc at
Sun May 24 16:50:59 EDT 2009

Thank you for the clarification


adc spake unto us the following wisdom:
>* Hi, could someone help me understand CVE-2009-1376?*>* """*>* The previous fix to CVE-2008-2927 <> was*>* deemed incomplete. The size check improperly casted an uint64 to size_t*>* which can cause an integer overflow, rendering the check useless.*>* """*>* original patch:*>* *>* -		if ((offset + len) > slpmsg->size)*>* +		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)*>* *>* *>* additional patch:*>* *>* +-      gsize offset;*>* ++      guint64 offset;*>* *>* +       gsize len;*>* *>* Where is the problem exactly? I'm assuming that on a 32-bit machine*>* G_MAXSIZE should be*>* max unsigned int (2^32-1) and gsize is an unsigned integer.*
On the line:

	offset = msg->msnslp_header.offset;

(struct MsnSlpHeader *)->offset is declared as 64-bit.  Assigning it
to a 32-bit offset field led to truncation.  These checks themselves
weren't the problem.


The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Devel mailing list