Possible null-pointer dereference in libpurple /protocols/yahoo/libymsg.c

Marius Wachtler undingen at gmail.com
Thu Feb 24 20:50:26 EST 2011

Hello and thanks for your response.

I also think that this issue should't be real problem so I'm fine with
fixing it in the next release.

As with your patch I think this won't fix the issue because few lines
after the if "sms" will still be dereferenced (so if pkt->status has
different value..).
So I think early exiting would be the best.

--- libymsg.c_old	2011-02-25 09:37:06.719072000 -0800
+++ libymsg.c	2011-02-25 09:39:49.179072003 -0800
@@ -922,6 +922,9 @@
 		l = l->next;

+    if (!sms)
+        return; /* received malformed packet */
 	if( (pkt->status == -1) || (pkt->status == YAHOO_STATUS_DISCONNECTED) ) {
 		if (server_msg) {
 			PurpleConversation *c;

But in the mean time I have looked at other possible similar bugs and
found one in:

libymsg.c: yahoo_process_notify()
This time the problematic variable is called "stat" and this function
get also called from the code which handles the p2p packets.
I have no knowledge of the yahoo messenger protocol, but if this is
really data which comes from another peer this can be a real problem.

Thanks for your repsonse.

-- Marius Wachtler

More information about the security mailing list