ICQ excessive memory allocation again

[Mark Doliner]

On Fri, Feb 26, 2010 at 5:10 PM, Jan Kaluza <hanzz.k at gmail.com> wrote:
> Hi,
> I'm using libpurple as network library for my XMPP Transport. I think
> I have similar problem to one security issue which should be already
> fixed in 2.5.8 ( http://pidgin.im/news/security/?id=33 ). I think I
> don't have to describe my problem more, because symptoms are basically
> the same as in mentioned issue. Unfortunately I can't say what client
> caused it. I'm using libpurple 2.6.5. I will keep the core dump and
> current binary for required time, so feel free to ask me for more
> informations.
>
> These are last few lines of the debug log:
> [02/26/10 10:01:05] <libpurple/oscar> incomingim_ch1: unknown TLV
> 0x000d (len 40)
> [02/26/10 10:01:05] <libpurple/oscar> Received IM from 442406467 with 1 parts
> [02/26/10 10:01:05] <libpurple/oscar> Parsing IM part, charset=0x0002,
> charsubset=0x0026, datalen=122, choice1=UTF-16BE, choice2=UTF-8,
> choice3=
> [02/26/10 10:01:05] <libpurple/oscar> Received a channel 4 message of type 0x1a.
>
> GLib-ERROR **: gmem.c:135: failed to allocate 3137339393 bytes
> aborting...

Hi Jan.  Thanks for letting us know about this!  And sorry we haven't
responded to your email!  I should probably get most of the blame
since I'm more responsible for oscar code than other people, and I
think I wrote the code that's crashing.

I can confirm that this does indeed still crash.  We see it at Meebo
occasionally.  But I don't know what causes it and I've been unable to
reproduce it.  You don't happen to know how to trigger this bug, do
you?  The code that's crashing deals with "SMS or someone has sent you
a greeting card or requested buddies."

Since I don't really know what an ICQ SMS is and can't find a way to
send one to myself, I'm leaning towards disabling that code.  And if
we don't know how to trigger this crash then I'd vote for not
bothering with a CVE or notifying packagers, since it doesn't seem to
be too serious of a problem.

--Mark