diff options
| author | Daniel Atallah <datallah@pidgin.im> | 2009-05-02 19:50:13 +0000 |
|---|---|---|
| committer | Daniel Atallah <datallah@pidgin.im> | 2009-05-02 19:50:13 +0000 |
| commit | 911b3ec88f01c7a47f9b2211ad5e65a3dd66e145 (patch) | |
| tree | e4b7e35006d9f1e9b3740b158117338ea47f82ee | |
| parent | 568946719968f9ba7497767cec1235ef33a24f6c (diff) | |
| download | pidgin-911b3ec88f01c7a47f9b2211ad5e65a3dd66e145.tar.gz | |
Make sure we call atoi on a NUL-terminated string. It isn't safe to call on
a pointer to a single char.
This came out of the veracode analysis.
| -rw-r--r-- | libpurple/protocols/qq/utils.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/libpurple/protocols/qq/utils.c b/libpurple/protocols/qq/utils.c index cc8879af8b..178b699ee9 100644 --- a/libpurple/protocols/qq/utils.c +++ b/libpurple/protocols/qq/utils.c @@ -222,7 +222,8 @@ static gchar *strstrip(const gchar *const buffer) * The return should be freed later. */ guint8 *hex_str_to_bytes(const gchar *const buffer, gint *out_len) { - gchar *hex_str, *hex_buffer, *cursor, tmp; + gchar *hex_str, *hex_buffer, *cursor; + gchar tmp[2]; guint8 *bytes, nibble1, nibble2; gint index; @@ -242,7 +243,9 @@ guint8 *hex_str_to_bytes(const gchar *const buffer, gint *out_len) index = 0; for (cursor = hex_str; cursor < hex_str + sizeof(gchar) * (strlen(hex_str)) - 1; cursor++) { if (g_ascii_isdigit(*cursor)) { - tmp = *cursor; nibble1 = atoi(&tmp); + tmp[0] = *cursor; + tmp[1] = '\0'; + nibble1 = atoi(tmp); } else if (g_ascii_isalpha(*cursor) && (gint) *cursor - 87 < 16) { nibble1 = (gint) *cursor - 87; } else { @@ -254,7 +257,9 @@ guint8 *hex_str_to_bytes(const gchar *const buffer, gint *out_len) nibble1 = nibble1 << 4; cursor++; if (g_ascii_isdigit(*cursor)) { - tmp = *cursor; nibble2 = atoi(&tmp); + tmp[0] = *cursor; + tmp[1] = '\0'; + nibble2 = atoi(tmp); } else if (g_ascii_isalpha(*cursor) && (gint) (*cursor - 87) < 16) { nibble2 = (gint) *cursor - 87; } else { |