diff options
| author | Gary Kramlich <grim@reaperworld.com> | 2016-06-12 22:29:45 -0500 |
|---|---|---|
| committer | Gary Kramlich <grim@reaperworld.com> | 2016-06-12 22:29:45 -0500 |
| commit | d6d2faab8a9ce858d0915ed29ade979e95a407f5 (patch) | |
| tree | 912ddaa78dfe75691b1309974810d394405063d6 | |
| parent | 26ab9af192e3997ae6ef89e6fb8a7dab4b265e0d (diff) | |
| parent | 88fb47f0cc6f1bcbdbc3c8c2821d750d15ac5bb9 (diff) | |
| download | pidgin-d6d2faab8a9ce858d0915ed29ade979e95a407f5.tar.gz | |
Merged TALOS-CAN-0143
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | libpurple/protocols/mxit/protocol.c | 19 |
2 files changed, 21 insertions, 0 deletions
@@ -43,6 +43,8 @@ version 2.10.13 (MM/DD/YY): handling. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141) * Fixed a remote out-of-bounds write vulnerability. Discovered by Yves Younan of Cisco Talos. (TALOS-CAN-0139) + * Fix a remote out-of-bounds read. Discovered by Yves Younan of Cisco + Talos. (TALOS-CAN-0143) version 2.10.12 (12/31/15): General: diff --git a/libpurple/protocols/mxit/protocol.c b/libpurple/protocols/mxit/protocol.c index ff4a408bf4..1c7f9059f2 100644 --- a/libpurple/protocols/mxit/protocol.c +++ b/libpurple/protocols/mxit/protocol.c @@ -2020,6 +2020,12 @@ static void mxit_parse_cmd_suggestcontacts( struct MXitSession* session, struct * userid \1 contactType \1 value0 \1 value1 ... valueN */ + /* ensure that record[0] contacts the minumum number of fields */ + if ( records[0]->fcount < 4 ) { + purple_debug_error( MXIT_PLUGIN_ID, "Insufficient number of fields in suggest contacts response. fields=%i", records[0]->fcount ); + return; + } + /* the type of results */ searchType = atoi( records[0]->fields[0]->data ); @@ -2029,11 +2035,24 @@ static void mxit_parse_cmd_suggestcontacts( struct MXitSession* session, struct /* set the count for attributes */ count = atoi( records[0]->fields[3]->data ); + /* ensure that record[0] contains the specified number of attributes */ + if ( records[0]->fcount < ( 4 + count ) ) { + purple_debug_error( MXIT_PLUGIN_ID, "Insufficient number of fields in suggest contacts response. fields=%i attributes=%i", records[0]->fcount, count ); + return; + } + for ( i = 1; i < rcount; i ++ ) { struct record* rec = records[i]; struct MXitProfile* profile = g_new0( struct MXitProfile, 1 ); int j; + /* ensure that each result contains the specified number of attributes */ + if ( rec->fcount != ( 2 + count ) ) { + purple_debug_error( MXIT_PLUGIN_ID, "Insufficient number of fields in suggest contacts response. fields=%i attributes=%i", rec->fcount, count ); + g_free( profile ); + continue; + } + g_strlcpy( profile->userid, rec->fields[0]->data, sizeof( profile->userid ) ); // TODO: ContactType - User or Service |