pidgin: 661db628: http://dev.aol.com/aim/oscar/ says, "A

Zachary West zacwest at gmail.com
Mon Nov 9 13:58:29 EST 2009 

On Thu, Nov 5, 2009 at 03:21, Mark Doliner <mark at kingant.net> wrote:

> On Wed, Nov 4, 2009 at 11:25 PM, Richard Laager <rlaager at wiktel.com>
> wrote:
> > On Wed, 2009-11-04 at 17:21 -0500, markdoliner at pidgin.im wrote:
> >> http://dev.aol.com/aim/oscar/ says, "All strings in Feedbag are UTF8
> >> encoded."  So stop trying to validate stuff as utf8 then salvage when
> >> it isn't and just display broken crap or crash.
> >
> > This seems like a bad idea. If we can really crash on invalid data, this
> > is going to be our next security issue.
>
> Yeah, maybe.  It would only be invalid date in your own roster, which
> wouldn't be considered a security issue because it isn't remotely
> exploitable (although it would be a nuisance to any person who is
> affected).  I wondered if there is some possibility of non-utf8 in an
> ICQ friend request, but these changes don't affect that.
>
> -Mark
>
>
The latest Adium beta is running with these changes, and we're seeing a fair
amount of bug reports for crashing due to the change. Perhaps a little
further reaching amount of invalid data than expected?

Unless the crash we're seeing is different (but I don't think it is, seems
like this change). Here's an example backtrace:

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib             	0x91161990 strlen + 16
1   ...s.openspecies.rtool.libglib	0x005ec10d g_utf8_collate_key + 416
2   libpurple                     	0x0071d015 purple_find_group + 102
3   libpurple                     	0x0085f046 purple_ssi_parselist + 1818
4   libpurple                     	0x0083dbba parsedata + 574
5   libpurple                     	0x0083f38c snachandler + 132
6   libpurple                     	0x0084dbac parse_snac + 239
7   libpurple                     	0x0084de20 parse_flap + 153
8   libpurple                     	0x0084e18b flap_connection_recv + 832
9   libpurple                     	0x0084e1fc flap_connection_recv_cb_ssl + 23
10  libpurple                     	0x0076c003 recv_cb + 43

-- 
Zachary West
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20091109/07494699/attachment-0001.html>

More information about the Devel mailing list