diff options
author | Mark Doliner <markdoliner@pidgin.im> | 2010-08-10 17:53:07 +0000 |
---|---|---|
committer | Mark Doliner <markdoliner@pidgin.im> | 2010-08-10 17:53:07 +0000 |
commit | e3794c160c9a566b5cb28f0f70866709ddfce40f (patch) | |
tree | ec87c89e2582e2e602aa547b85b56e980fe46c42 | |
parent | 23b171433943e18012d2163681412c9fccf7e438 (diff) | |
download | pidgin-soc.2010.icq-tlc.tar.gz |
*** Plucked rev a8b26bdf35f2685c221a62e65eeb041aa1f41143 (markdoliner@pidgin.im):soc.2010.icq-tlc
Fix a crash bug in oscar related to trying to allocate too much memory.
This was reported to our security mailing list by Jan Kaluza The Great.
I honestly couldn't figure out how to repro this crash, so I've been
considering it as not a remote-crash security problem, so I chose to
skip the CVE process for this.
*** Plucked rev f812c8c4d3e9195374d37965e1bcf0c4c173097d (markdoliner@pidgin.im):
Make these unsigned, in case someone figures out how to actually send
one of these and somehow manages to use a negative number. Pointed out
by Yuriy M. Kaminskiy. Thanks, Yuriy!
-rw-r--r-- | libpurple/protocols/oscar/oscar.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/libpurple/protocols/oscar/oscar.c b/libpurple/protocols/oscar/oscar.c index 800293c708..fb1820f74d 100644 --- a/libpurple/protocols/oscar/oscar.c +++ b/libpurple/protocols/oscar/oscar.c @@ -1985,7 +1985,8 @@ incomingim_chan4(OscarData *od, FlapConnection *conn, aim_userinfo_t *userinfo, case 0x1a: { /* Handle SMS or someone has sent you a greeting card or requested buddies? */ ByteStream qbs; - int smstype, taglen, smslen; + guint16 smstype; + guint32 taglen, smslen; char *tagstr = NULL, *smsmsg = NULL; xmlnode *xmlroot = NULL, *xmltmp = NULL; gchar *uin = NULL, *message = NULL; @@ -1999,12 +2000,23 @@ incomingim_chan4(OscarData *od, FlapConnection *conn, aim_userinfo_t *userinfo, if (smstype != 0) break; taglen = byte_stream_getle32(&qbs); + if (taglen > 2000) { + /* Avoid trying to allocate large amounts of memory, in + case we get something unexpected. */ + break; + } tagstr = byte_stream_getstr(&qbs, taglen); if (tagstr == NULL) break; byte_stream_advance(&qbs, 3); byte_stream_advance(&qbs, 4); smslen = byte_stream_getle32(&qbs); + if (smslen > 2000) { + /* Avoid trying to allocate large amounts of memory, in + case we get something unexpected. */ + g_free(tagstr); + break; + } smsmsg = byte_stream_getstr(&qbs, smslen); /* Check if this is an SMS being sent from server */ |