Remote exploitable crash on win32
Eion Robb
eion at robbmob.com
Fri Jan 20 00:16:32 EST 2012
On 18 January 2012 18:29, Eion Robb <eion at robbmob.com> wrote:
> Just now was a user in #pidgin who managed to trigger a remote crash on my
> windows system through what looks like a Pango glyph error. I've attached
> the html file (renamed as htmlx since viewing the history caused crashes
> too) of the log that was causing the crashes.
>
> Nothing appears in the Pidgin crash RPT dump file but there is a single
> line in the debug log:
> Pango:ERROR:basic-win32.c:485:convert_log_clusters_to_byte_offsets:
> assertion failed: (glyphs->log_clusters[glyphix] < n_chars)
>
> In the html log file, there appears to be an invisible character on line 9
> at offset 81
>
Attached is a plugin that prevents the issue, based on findings from XChat
devs, if someone cares to host it (or I can host it when I get home later
this evening). I haven't yet tested it with every single codepoint to make
sure there aren't still crashable characters, but it does prevent the
character as mentioned in
https://bugzilla.gnome.org/show_bug.cgi?id=668154from remotely
crashing Pidgin.
Cheers,
Eion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120120/b30155ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win32_gtk_non_bmp_filter.c
Type: text/x-csrc
Size: 3784 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120120/b30155ee/attachment-0001.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win32_gtk_non_bmp_filter.dll
Type: application/octet-stream
Size: 591726 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120120/b30155ee/attachment-0001.dll>
More information about the security
mailing list