Wrong buffer size calcualtion in msn_httpconn_parse_data
Marius Wachtler
undingen at gmail.com
Thu Jul 14 11:37:03 EDT 2011
Hello
My compiler found a bug in libpurple/protocols/msn/httpconn.c
msn_httpconn_parse_data(). (Version 2.9.0)
if ((s = strstr(buf, "\r\n\r\n")) == NULL)
return FALSE;
s += 4;
if (*s == '\0')
{
*ret_buf = g_strdup("");
*ret_size = 0;
msn_httpconn_process_queue(httpconn);
return TRUE;
}
buf = s;
size -= (s - buf);
The last two lines should be swaped, otherwise the buffer size will
not be reduced.
I don't know if this has real security implications but i thought
better send it to the security list...
Thank you
Marius Wachtler
More information about the security
mailing list