Pidgin 2.10.4 and a possible remote crash

Mark Doliner mark at kingant.net
Mon May 7 12:49:32 EDT 2012


On Mon, May 7, 2012 at 3:41 AM, Jan Lieskovsky <jlieskov at redhat.com> wrote:
> looks like the crash is happening at g_convert() routine:
>
> -               char *body = g_convert(msg->body, msg->body_len, "UTF-8",
> -                               "ISO-8859-1", NULL, &msg->body_len, NULL);

I actually don't think this will crash.  My understanding is that it's
possible to convert any sequence of bytes from ISO-8859-1 to UTF-8.
The result might be nonsensical (if the bytes aren't actually
ISO-8859-1), but the conversion should still succeed.

> In other words, are you able to tell if the crash is happening due to
> invalid read out of heap-based buffer, or if it could lead also to
> invalid heap-based buffer write? (later in the code)

I think it's just an invalid read.  Here's the backtrace we were given:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff50e7f00 in g_markup_escape_text ()
from /usr/lib/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff50e7f00 in g_markup_escape_text ()
from /usr/lib/libglib-2.0.so.0
#1  0x00007fffe7d1430f in msn_plain_msg ()
from /usr/lib/purple-2/libmsn.so
#2  0x00007fffe7d0a5c6 in msn_cmdproc_process_msg ()
from /usr/lib/purple-2/libmsn.so
#3  0x00007fffe7d2c7ef in ?? () from /usr/lib/purple-2/libmsn.so
#4  0x00007fffe7d25ae9 in msn_servconn_process_data ()
from /usr/lib/purple-2/libmsn.so
#5  0x00007fffe7d25c81 in ?? () from /usr/lib/purple-2/libmsn.so
#6  0x000000000046af5d in ?? ()
#7  0x00007ffff50e337c in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#8  0x00007ffff50e3798 in ?? () from /usr/lib/libglib-2.0.so.0
#9  0x00007ffff50e3b92 in g_main_loop_run ()
from /usr/lib/libglib-2.0.so.0
#10 0x00007ffff6d76637 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#11 0x00000000004319a1 in main ()

The case we were trying to protect against is when charset is set and
the string is not valid UTF-8.  I think the old code didn't do any
conversion in this case.  And then later in the code, in
msn_plain_msg(), we were passed invalid UTF-8 to
g_markup_escape_text().



More information about the Packagers mailing list