diff options
author | Gary Kramlich <grim@reaperworld.com> | 2021-07-08 19:33:19 -0500 |
---|---|---|
committer | Gary Kramlich <grim@reaperworld.com> | 2021-07-08 19:33:19 -0500 |
commit | 8dcd505f35bc6cd46294375bee4ace1a5628d2ec (patch) | |
tree | 719ca0f5597e963c0eab913fea2ad7e916e5a4f8 | |
parent | 28f7252836c7a862d64ec00c1f7cc61fd701f3f4 (diff) | |
download | pidgin-8dcd505f35bc6cd46294375bee4ace1a5628d2ec.tar.gz |
Fix an out of bounds write in purple_markup_linkify.
This was found by Thomas Roth <code@stacksmashing.net>, Dominik Maier
<mail@dmnk.co>, and Fabian Freyer <mail@fabianfreyer.de>.
Testing Done:
Compiled and ran the `purple_markup_linkify_fuzzer` from the google oss-fuzz project to verify the fix.
Reviewed at https://reviews.imfreedom.org/r/781/
-rw-r--r-- | libpurple/util.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libpurple/util.c b/libpurple/util.c index 640bdbd693..67e92de25d 100644 --- a/libpurple/util.c +++ b/libpurple/util.c @@ -2286,8 +2286,9 @@ purple_markup_linkify(const char *text) /* strip off trailing periods */ if (strlen(url_buf) > 0) { - for (d = url_buf + strlen(url_buf) - 1; *d == '.'; d--, t--) + for (d = url_buf + strlen(url_buf) - 1; (d >= url_buf) && (*d == '.'); d--, t--) { *d = '\0'; + } } tmpurlbuf = purple_unescape_html(url_buf); |