Gadu-Gadu security issues

Mark Doliner mark at
Sun Jan 27 18:05:43 EST 2013

These problems either aren't remotely-exploitable or don't affect
Pidgin users, right?  Tomasz, your patch looks good to me.  If there
are no objections, I propose:
- Tomasz, please commit your patch to the release-2.x.y branch at your
earliest convenience.
- Then Tomasz merges the changes from this branch into main using "hg
merge release-2.x.y" from within main and resolves conflicts.
- Tomasz passes this information (and I guess your patch? totally up
to you) along to the upstream libgadu project.

The one bug I'm most unsure about is the realloc() buffer overflow
thing (CID 732073, libpurple/protocols/gg/lib/common.c:117).

That code is ugly and seems kinda wrong to me.  For example, why call
vsnprintf() twice?  And the loop condition to decide whether to
reallocate seems wrong--the vsnprintf() man page says, "If the output
was truncated due to this limit then the return value is the number of
characters (excluding the terminating null byte) which would have been
written to the final string if enough space had been available."  But
the code looks like it's expecting to receive either -1 or size-1.

I kinda feel like that code will overflow buf by exactly 1 byte every
time the string is >128 bytes.  But it seems like this hasn't been a
source of crashes, so I'd say we should patch it in 2.x.y but not
consider a remotely-exploitable crash.

More information about the security mailing list