[patch] libpurple/protocols/oscar: OOM and die on misparsed ICQWebMessage as ICQSMS

Yuriy Kaminskiy yumkam at mail.ru
Thu May 28 17:18:56 EDT 2009 

Hello!
Few month ago ;-) I've got number of OOM/(segv|abort), and found that
when pidgin receive chan4/0x1a/ICQWebMessage, it misparses that as
ICQSMS, and dies on out-of-memory/sigsegv.
01) fixes in byte_stream_getstr: early check len for validity (this will
cause error later anyway), and only then allocate memory.
02) fixes in incomingim_chan4/case 0x1a: better checks for expected
format and errors (and not choke on some unknown gibberish).
03-04) [optional] remove introduced in (01) double checks and cleanup

PS patches checked and works on pidgin-2.5.{1..6}.
PPS someone should also think about this:
byte_stream_init(&b, "\7abcde", 6);
len = byte_stream_get8(&b); // ok - len=7
foo = byte_stream_get_str(&b, len); // fails!
num = byte_stream_get32(&b); // reads junk! num = 0x64636261
bar = byte_stream_get_str(&b, num); // DIE! (before my patch) or fail;
// or, in more ``lucky'' case ("\7\1\0\0\0B") may read some unexpected
// gibberish into bar
There are too many places where byte_stream_get* functions used without
any check for errors :-\ (from quick glance - no as drastic things^[*]
as with 4/0x1a, but I don't know code well enough to be sure).
Maybe, it make sense to advance buffer to end (b->offset = b->len;)
immediately on failed attempt to read something?
^[*] that is, with 01_*.patch; without - it would be OOM/die.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 01_bstream-bigmalloc-2.patch
Type: text/x-diff
Size: 609 bytes
Desc: not available
URL: <http://pidgin.im/pipermail/devel/attachments/20090529/8e493da4/attachment-0008.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02_detect-misparse.patch
Type: text/x-diff
Size: 968 bytes
Desc: not available
URL: <http://pidgin.im/pipermail/devel/attachments/20090529/8e493da4/attachment-0009.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 03_bstream-remove-double-check.patch
Type: text/x-diff
Size: 1422 bytes
Desc: not available
URL: <http://pidgin.im/pipermail/devel/attachments/20090529/8e493da4/attachment-0010.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 04_bstream-cosmetics.patch
Type: text/x-diff
Size: 1034 bytes
Desc: not available
URL: <http://pidgin.im/pipermail/devel/attachments/20090529/8e493da4/attachment-0011.patch>

More information about the Devel mailing list