XMMP/Jabber clients DoS vulnerability report

Ethan Blanton elb at pidgin.im
Wed Feb 10 09:25:33 EST 2010

Mark Doliner spake unto us the following wisdom:
> How does the attached patch look to people?  It sets a limit of 200
> smileys per GtkIMHtml by keeping a counter using g_object_get_data and
> g_object_set_data.  200 is fairly arbitrary.  My computer can handle
> more, but my computer is fairy fast.  I suspect some of our users will
> hit the 200 limit because, well, you know our users :-), but I also
> suspect that 200 is more than enough for any reasonable conversation.

Does each smiley rendering become progressively slower, or something?
I would be inclined to account this per-IM, not per-IMHtml.  If an
IMHtml is getting generally slow, people have time to close the window
and open a new one; if a single IM is loaded up with smileys and
unusably slow, that's a different matter.


The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100210/06a6b52b/attachment.pgp>

More information about the security mailing list