msn: Fix NUL-pointer deref issue parsing Message Headers release-2.x.y
authorDaniel Atallah <datallah@pidgin.im>
Sat, 16 Mar 2013 14:17:45 -0400
branchrelease-2.x.y
changeset23cbfff68a0c pushlog
parent 932b985540e9
child ef836278304b
msn: Fix NUL-pointer deref issue parsing Message Headers

* Thanks to Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen
libpurple/protocols/msn/msg.c
     1.1 --- a/libpurple/protocols/msn/msg.c
     1.2 +++ b/libpurple/protocols/msn/msg.c
     1.3 @@ -178,6 +178,8 @@
     1.4  		g_free(tmp_base);
     1.5  		g_return_if_reached();
     1.6  	}
     1.7 +
     1.8 +	/* NUL-terminate the end of the headers - it'll get skipped over below */
     1.9  	*end = '\0';
    1.10  
    1.11  	/* Split the headers and parse each one */
    1.12 @@ -195,10 +197,12 @@
    1.13  
    1.14  			/* The only one I care about is 'boundary' (which is folded from
    1.15  			   the key 'Content-Type'), so only process that. */
    1.16 -			if (!strcmp(key, "boundary")) {
    1.17 +			if (!strcmp(key, "boundary") && value) {
    1.18  				char *end = strchr(value, '\"');
    1.19 -				*end = '\0';
    1.20 -				msn_message_set_header(msg, key, value);
    1.21 +				if (end) {
    1.22 +					*end = '\0';
    1.23 +					msn_message_set_header(msg, key, value);
    1.24 +				}
    1.25  			}
    1.26  
    1.27  			g_strfreev(tokens);
    1.28 @@ -210,18 +214,15 @@
    1.29  		key = tokens[0];
    1.30  		value = tokens[1];
    1.31  
    1.32 -		/*if not MIME content ,then return*/
    1.33  		if (!strcmp(key, "MIME-Version"))
    1.34  		{
    1.35 -			g_strfreev(tokens);
    1.36 -			continue;
    1.37 +			/* Ignore MIME-Version header */
    1.38  		}
    1.39 -
    1.40 -		if (!strcmp(key, "Content-Type"))
    1.41 +		else if (!strcmp(key, "Content-Type"))
    1.42  		{
    1.43  			char *charset, *c;
    1.44  
    1.45 -			if ((c = strchr(value, ';')) != NULL)
    1.46 +			if (value && (c = strchr(value, ';')) != NULL)
    1.47  			{
    1.48  				if ((charset = strchr(c, '=')) != NULL)
    1.49  				{