diff options
| author | Gary Kramlich <grim@reaperworld.com> | 2016-06-12 22:11:59 -0500 |
|---|---|---|
| committer | Gary Kramlich <grim@reaperworld.com> | 2016-06-12 22:11:59 -0500 |
| commit | 9bc29eb2dfe1db46807d0e5c24d62f3cbdee526e (patch) | |
| tree | 1df2e958e598987a58bb0675aea4cf8b2570efc6 | |
| parent | 812d34a1fbb9f990edf1a6d96158e1a8db3a7953 (diff) | |
| parent | 31ea530ec147c85f4e9188f18b4ec6611244d58d (diff) | |
| download | pidgin-9bc29eb2dfe1db46807d0e5c24d62f3cbdee526e.tar.gz | |
Merged TALOS-CAN-0133
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | libpurple/protocols/mxit/formcmds.c | 20 |
2 files changed, 17 insertions, 6 deletions
@@ -28,6 +28,9 @@ version 2.10.13 (MM/DD/YY): (TALOS-CAN-0123) * Fixed a directory traversal issue. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0128) + * Fixed a remote denial of service vulnerability that could result in + a null pointer dereference. Discovered by Yves Younan of Cisco Talos. + (TALOS-CAN-0133) version 2.10.12 (12/31/15): General: diff --git a/libpurple/protocols/mxit/formcmds.c b/libpurple/protocols/mxit/formcmds.c index 0e60a6a02a..ad7681aafa 100644 --- a/libpurple/protocols/mxit/formcmds.c +++ b/libpurple/protocols/mxit/formcmds.c @@ -395,6 +395,9 @@ static void command_imagestrip(struct MXitSession* session, const char* from, GH /* validator */ validator = g_hash_table_lookup(hash, "v"); + if (!name || !validator) + return; + /* image data */ tmp = g_hash_table_lookup(hash, "dat"); if (tmp) { @@ -430,13 +433,13 @@ static void command_imagestrip(struct MXitSession* session, const char* from, GH } tmp = g_hash_table_lookup(hash, "fw"); - width = atoi(tmp); + width = (tmp ? atoi(tmp) : 0); tmp = g_hash_table_lookup(hash, "fh"); - height = atoi(tmp); + height = (tmp ? atoi(tmp) : 0); tmp = g_hash_table_lookup(hash, "layer"); - layer = atoi(tmp); + layer = (tmp ? atoi(tmp) : 0); purple_debug_info(MXIT_PLUGIN_ID, "ImageStrip %s from %s: [w=%i h=%i l=%i validator=%s]\n", name, from, width, height, layer, validator); } @@ -525,21 +528,26 @@ static void command_table(struct RXMsgData* mx, GHashTable* hash) /* table name */ name = g_hash_table_lookup(hash, "nm"); + if (!name) + return; /* number of columns */ tmp = g_hash_table_lookup(hash, "col"); - nr_columns = atoi(tmp); + nr_columns = (tmp ? atoi(tmp) : 0); /* number of rows */ tmp = g_hash_table_lookup(hash, "row"); - nr_rows = atoi(tmp); + nr_rows = (tmp ? atoi(tmp) : 0); /* mode */ tmp = g_hash_table_lookup(hash, "mode"); - mode = atoi(tmp); + mode = (tmp ? atoi(tmp) : 0); /* table data */ tmp = g_hash_table_lookup(hash, "d"); + if (!tmp) + tmp = ""; + coldata = g_strsplit(tmp, "~", 0); /* split into entries for each row & column */ purple_debug_info(MXIT_PLUGIN_ID, "Table %s from %s: [cols=%i rows=%i mode=%i]\n", name, mx->from, nr_columns, nr_rows, mode); |