one byte buffer overread in function purple_markup_linkify

[Ethan Blanton]

Hanno Böck wrote:
> I did some fuzzing after I saw the latest security vulnerability in
> pidgin.
> I'm not entirely sure whether all the markup functions are supposed to
> be resilient to invalid inputs, but it's certainly better if they are.

This is a general problem with UTF-8 APIs.  Performing UTF-8
validation everywhere is expensive, but failing to perform it
everywhere can lead to processing a non-UTF-8 string as UTF-8.  The
byte sequence you present is not valid UTF-8, which the purple_markup
family expects as part of its contract.

So while I agree that it would be ideal for these methods to be robust
to invalid UTF-8, they are not.  Everything passed to a purple_markup
function from the network should have been validated as UTF-8 (or
passed through purple_utf8_salvage or the like to "fix" it if it was
not).

I don't believe that this is a security problem, or a "bug" as such.
However, if you can find a place wher ea purple_markup function is
potentially *passed* an invalid UTF-8 string, then that is absolutely
a bug and should be addressed!

Thank you for your clear and detailed report, and your efforts toward
making Pidgin and libpurple more robust.

Ethan