[Pidgin] #14518: Segfault with misplaced 366 ("End of /NAMES list") message

Tue Aug 16 10:50:33 EDT 2011

#14518: Segfault with misplaced 366 ("End of /NAMES list") message
-------------------+--------------------------------------------------------
 Reporter:  udp    |        Owner:  elb
     Type:  patch  |       Status:  new
Milestone:         |    Component:  IRC
  Version:  2.9.0  |   Resolution:     
 Keywords:         |  
-------------------+--------------------------------------------------------
Description changed by udp:

Old description:

> If a misbehaving IRC server sends 366 ("End of /NAMES list") without
> sending any names and when Pidgin isn't expecting it (ie. IRC_NAMES_FLAG
> isn't set), a NULL irc->names will be dereferenced anyway, causing a
> segmentation fault :-
>
> {{{Program received signal SIGSEGV, Segmentation fault.
> 0x00007fffe9721d2a in irc_msg_names (irc=0xdcc9b0, name=0x7fffe972726d
> "366", from=0xec58f0 "Bridge",
>     args=0xebd2b0) at msgs.c:594
> 594                             while (*cur) {
>
> #0  0x00007fffe9721d2a in irc_msg_names (irc=0xdcc9b0,
> name=0x7fffe972726d "366", from=0xec58f0 "Bridge",
>     args=0xebd2b0) at msgs.c:594
> #1  0x00007fffe9726068 in irc_parse_msg (irc=0xdcc9b0,
>     input=0xe640d0 ":Bridge 366 Jamie #EDS_Lounge :End of /NAMES list")
> at parse.c:737
> #2  0x00007fffe971eab5 in read_input (irc=0xdcc9b0, len=51) at irc.c:655
> #3  0x00007fffe971ee7f in irc_input_cb (data=0xdcc8e0, source=12,
> cond=PURPLE_INPUT_READ) at irc.c:734
> #4  0x000000000047b9e2 in pidgin_io_invoke (source=0xdcc7e0,
> condition=G_IO_IN, data=0xdcef80)
>     at gtkeventloop.c:73
> #5  0x00007ffff35ac29d in g_main_context_dispatch () from
> /usr/lib/libglib-2.0.so.0
> #6  0x00007ffff35aca78 in ?? () from /usr/lib/libglib-2.0.so.0
> #7  0x00007ffff35ad0ba in g_main_loop_run () from
> /usr/lib/libglib-2.0.so.0
> #8  0x00007ffff5eaa1a7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
> #9  0x000000000049c76c in main (argc=1, argv=0x7fffffffe868) at
> gtkmain.c:934}}}

New description:

 If a misbehaving IRC server sends 366 ("End of /NAMES list") without
 sending any names and when Pidgin isn't expecting it (ie. IRC_NAMES_FLAG
 isn't

 set), a NULL irc->names will be dereferenced anyway, causing a
 segmentation fault :-

 {{{
 Program received signal SIGSEGV, Segmentation fault.
 0x00007fffe9721d2a in irc_msg_names (irc=0xdcc9b0, name=0x7fffe972726d
 "366", from=0xec58f0 "Bridge",
     args=0xebd2b0) at msgs.c:594
 594                             while (*cur) {

 #0  0x00007fffe9721d2a in irc_msg_names (irc=0xdcc9b0, name=0x7fffe972726d
 "366", from=0xec58f0 "Bridge",
     args=0xebd2b0) at msgs.c:594
 #1  0x00007fffe9726068 in irc_parse_msg (irc=0xdcc9b0,
     input=0xe640d0 ":Bridge 366 Jamie #EDS_Lounge :End of /NAMES list") at
 parse.c:737
 #2  0x00007fffe971eab5 in read_input (irc=0xdcc9b0, len=51) at irc.c:655
 #3  0x00007fffe971ee7f in irc_input_cb (data=0xdcc8e0, source=12,
 cond=PURPLE_INPUT_READ) at irc.c:734
 #4  0x000000000047b9e2 in pidgin_io_invoke (source=0xdcc7e0,
 condition=G_IO_IN, data=0xdcef80)
     at gtkeventloop.c:73
 #5  0x00007ffff35ac29d in g_main_context_dispatch () from
 /usr/lib/libglib-2.0.so.0
 #6  0x00007ffff35aca78 in ?? () from /usr/lib/libglib-2.0.so.0
 #7  0x00007ffff35ad0ba in g_main_loop_run () from
 /usr/lib/libglib-2.0.so.0
 #8  0x00007ffff5eaa1a7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
 #9  0x000000000049c76c in main (argc=1, argv=0x7fffffffe868) at
 gtkmain.c:934
 }}}

--

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14518#comment:2>
Pidgin <http://pidgin.im>
Pidgin