Remotely triggerable crash in libpurple
Daniel Atallah
daniel.atallah at gmail.com
Mon Oct 12 09:42:10 EDT 2009
On Mon, Oct 12, 2009 at 04:09, Mark Doliner <mark at kingant.net> wrote:
> A ticket was filed yesterday where a 3rd party IM (SIM) client can
> cause a crash in Pidgin when a SIM ICQ user attempts to send a list of
> contacts to a Pidgin user.
> http://developer.pidgin.im/ticket/10481
<SNIP>
> The format of the ICBM sent to us by SIM is pretty different from what
> we're expecting, and I'm not quite sure why yet. But it's pretty easy
> to fix the erroneous assumptions in our code. Can one or two people
> look at the attached patch and also maybe the little bit of the
> affected function and make sure I'm not missing anything?
I've reviewed the patch and the one part I'm missing is where
- for (i=0; i<strlen(text[0]); i++)
- num = num*10 + text[0][i]-48;
+ num = strtoul(text[0], NULL, 10);
are equivalent.
The rest looks fine to me. It might be worth adding some debug output
to an else statement for "if (num > 0 && errno == 0) {"
> If all looks well with the patch then I propose throwing together a
> lightweight 2.6.3, which is 2.6.2+this fix+any other small and
> important bug fixes, with a minimum of string changes.
Is there anything else to be done for the rash of AIM/ICQ issues that
have come up lately? Are we still pretty confident it is a server
problem?
-D
More information about the security
mailing list