Merged TALOS-CAN-0139

2 files changed, 8 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index e99db130d0..3e27d4f3ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,8 @@ version 2.10.13 (MM/DD/YY):
 	  Talos.  (TALOS-CAN-0142)
 	* Fixed a remote denial of service vulnerability in contact mood
 	  handling.  Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141)
+	* Fixed a remote out-of-bounds write vulnerability.  Discovered by Yves
+	  Younan of Cisco Talos. (TALOS-CAN-0139)
 
 version 2.10.12 (12/31/15):
 	General:
diff --git a/libpurple/protocols/mxit/protocol.c b/libpurple/protocols/mxit/protocol.c
index f7f0089ade..ff4a408bf4 100644
--- a/libpurple/protocols/mxit/protocol.c
+++ b/libpurple/protocols/mxit/protocol.c
@@ -1840,6 +1840,12 @@ static void mxit_parse_cmd_extprofile( struct MXitSession* session, struct recor
 	/* set the count for attributes */
 	count = atoi( records[0]->fields[1]->data );
 
+	/* ensure the packet has the correct number of fields */
+	if ( records[0]->fcount < ( 2 + ( count * 3 ) ) ) {
+		purple_debug_error( MXIT_PLUGIN_ID, "Insufficient number of fields in extprofile response. fields=%i records=%i", records[0]->fcount, count );
+		return;
+	}
+
 	for ( i = 0; i < count; i++ ) {
 		char* fname;
 		char* fvalue;