Pidgin 2.10.4 and a possible remote crash
Mark Doliner
mark at kingant.net
Mon May 7 12:49:32 EDT 2012
On Mon, May 7, 2012 at 3:41 AM, Jan Lieskovsky <jlieskov at redhat.com> wrote:
> looks like the crash is happening at g_convert() routine:
>
> - char *body = g_convert(msg->body, msg->body_len, "UTF-8",
> - "ISO-8859-1", NULL, &msg->body_len, NULL);
I actually don't think this will crash. My understanding is that it's
possible to convert any sequence of bytes from ISO-8859-1 to UTF-8.
The result might be nonsensical (if the bytes aren't actually
ISO-8859-1), but the conversion should still succeed.
> In other words, are you able to tell if the crash is happening due to
> invalid read out of heap-based buffer, or if it could lead also to
> invalid heap-based buffer write? (later in the code)
I think it's just an invalid read. Here's the backtrace we were given:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff50e7f00 in g_markup_escape_text ()
from /usr/lib/libglib-2.0.so.0
(gdb) bt
#0 0x00007ffff50e7f00 in g_markup_escape_text ()
from /usr/lib/libglib-2.0.so.0
#1 0x00007fffe7d1430f in msn_plain_msg ()
from /usr/lib/purple-2/libmsn.so
#2 0x00007fffe7d0a5c6 in msn_cmdproc_process_msg ()
from /usr/lib/purple-2/libmsn.so
#3 0x00007fffe7d2c7ef in ?? () from /usr/lib/purple-2/libmsn.so
#4 0x00007fffe7d25ae9 in msn_servconn_process_data ()
from /usr/lib/purple-2/libmsn.so
#5 0x00007fffe7d25c81 in ?? () from /usr/lib/purple-2/libmsn.so
#6 0x000000000046af5d in ?? ()
#7 0x00007ffff50e337c in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#8 0x00007ffff50e3798 in ?? () from /usr/lib/libglib-2.0.so.0
#9 0x00007ffff50e3b92 in g_main_loop_run ()
from /usr/lib/libglib-2.0.so.0
#10 0x00007ffff6d76637 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#11 0x00000000004319a1 in main ()
The case we were trying to protect against is when charset is set and
the string is not valid UTF-8. I think the old code didn't do any
conversion in this case. And then later in the code, in
msn_plain_msg(), we were passed invalid UTF-8 to
g_markup_escape_text().
More information about the Packagers
mailing list