Wrong buffer size calcualtion in msn_httpconn_parse_data

Marius Wachtler undingen at gmail.com
Thu Jul 14 11:37:03 EDT 2011


My compiler found a bug in libpurple/protocols/msn/httpconn.c
msn_httpconn_parse_data(). (Version 2.9.0)

if ((s = strstr(buf, "\r\n\r\n")) == NULL)
	return FALSE;

	s += 4;

	if (*s == '\0')
		*ret_buf = g_strdup("");
		*ret_size = 0;


		return TRUE;

	buf = s;
	size -= (s - buf);

The last two lines should be swaped, otherwise the buffer size will
not be reduced.

I don't know if this has real security implications but i thought
better send it to the security list...

Thank you
Marius Wachtler

More information about the security mailing list