Remotely triggerable crash in libpurple

Daniel Atallah daniel.atallah at gmail.com
Mon Oct 12 09:42:10 EDT 2009


On Mon, Oct 12, 2009 at 04:09, Mark Doliner <mark at kingant.net> wrote:
> A ticket was filed yesterday where a 3rd party IM (SIM) client can
> cause a crash in Pidgin when a SIM ICQ user attempts to send a list of
> contacts to a Pidgin user.
> http://developer.pidgin.im/ticket/10481

<SNIP>

> The format of the ICBM sent to us by SIM is pretty different from what
> we're expecting, and I'm not quite sure why yet.  But it's pretty easy
> to fix the erroneous assumptions in our code.  Can one or two people
> look at the attached patch and also maybe the little bit of the
> affected function and make sure I'm not missing anything?

I've reviewed the patch and the one part I'm missing is where

-				for (i=0; i<strlen(text[0]); i++)
-					num = num*10 + text[0][i]-48;
+				num = strtoul(text[0], NULL, 10);

are equivalent.

The rest looks fine to me.  It might be worth adding some debug output
to an else statement for "if (num > 0 && errno == 0) {"

> If all looks well with the patch then I propose throwing together a
> lightweight 2.6.3, which is 2.6.2+this fix+any other small and
> important bug fixes, with a minimum of string changes.

Is there anything else to be done for the rash of AIM/ICQ issues that
have come up lately?  Are we still pretty confident it is a server
problem?

-D


More information about the security mailing list