Jabber: Incomplete UTF-8 string causes g_markup_escape_text to crash.

Ethan Blanton elb at pidgin.im
Tue Jun 9 19:12:16 EDT 2015


Mitch Davis spake unto us the following wisdom:
> > I thought your follow-up indicated that there was *not* actually a
> > crash?
> 
> Yes it's a crash.  My follow-up was to say that the log I included
> doesn't show a crash (but does show the problem, that due to luck,
> didn't crash it on that run).

OK, I misunderstood, then.

> > What is the actual situation?
> 
> Pidgin can be crashed on arrival of data that meets a certain condition.
> 
> The problem occurs when a packet that's passed to the SSL rx handler
> has an incomplete UTF-8 multibyte char on the end.  When the packet is
> logged, things in glib break on the incomplete sequence.  Please see
> my earlier post for other code which has had the same problem, and has
> been fixed, as well as a discussion of the problem.

OK.  That's easy enough to fix (that text should be salvaged somehow
before it's sent to the log).  Whether it needs an embargo and
coordinated release depends on what kind of crash it is; someone needs
to determine that.  (The previously-referenced bug may indicate this.)
I doubt in any case that it's severe enough to require an immediate
release (sounds like it can be worked around by turning off logging,
for example).

Ethan


More information about the security mailing list