diff options
author | Gary Kramlich <grim@reaperworld.com> | 2016-06-12 22:28:11 -0500 |
---|---|---|
committer | Gary Kramlich <grim@reaperworld.com> | 2016-06-12 22:28:11 -0500 |
commit | 26ab9af192e3997ae6ef89e6fb8a7dab4b265e0d (patch) | |
tree | 2aad9b55adf63750adf478e34a7d79d34ce1b2df | |
parent | 003a8caec2d36f919d7018728ccd349b537e1794 (diff) | |
parent | f16b3ccb83c4fe667760eba1d06a68f49a2307d1 (diff) | |
download | pidgin-26ab9af192e3997ae6ef89e6fb8a7dab4b265e0d.tar.gz |
Merged TALOS-CAN-0139
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | libpurple/protocols/mxit/protocol.c | 6 |
2 files changed, 8 insertions, 0 deletions
@@ -41,6 +41,8 @@ version 2.10.13 (MM/DD/YY): Talos. (TALOS-CAN-0142) * Fixed a remote denial of service vulnerability in contact mood handling. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141) + * Fixed a remote out-of-bounds write vulnerability. Discovered by Yves + Younan of Cisco Talos. (TALOS-CAN-0139) version 2.10.12 (12/31/15): General: diff --git a/libpurple/protocols/mxit/protocol.c b/libpurple/protocols/mxit/protocol.c index f7f0089ade..ff4a408bf4 100644 --- a/libpurple/protocols/mxit/protocol.c +++ b/libpurple/protocols/mxit/protocol.c @@ -1840,6 +1840,12 @@ static void mxit_parse_cmd_extprofile( struct MXitSession* session, struct recor /* set the count for attributes */ count = atoi( records[0]->fields[1]->data ); + /* ensure the packet has the correct number of fields */ + if ( records[0]->fcount < ( 2 + ( count * 3 ) ) ) { + purple_debug_error( MXIT_PLUGIN_ID, "Insufficient number of fields in extprofile response. fields=%i records=%i", records[0]->fcount, count ); + return; + } + for ( i = 0; i < count; i++ ) { char* fname; char* fvalue; |