Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004 release-2.x.y
authorTomasz Wasilczyk <twasilczyk@pidgin.im>
Fri, 10 Jan 2014 17:12:31 +0100
branchrelease-2.x.y
changeset6bd2dd10e5da pushlog
parent 89678e04a7ac
child dfe26ea283ee
Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004
libpurple/protocols/simple/simple.c
libpurple/protocols/simple/sipmsg.c
      1.1 --- a/libpurple/protocols/simple/simple.c
      1.2 +++ b/libpurple/protocols/simple/simple.c
      1.3 @@ -1640,7 +1640,7 @@
      1.4  		cur += 2;
      1.5  		restlen = conn->inbufused - (cur - conn->inbuf);
      1.6  		if(restlen >= msg->bodylen) {
      1.7 -			dummy = g_malloc(msg->bodylen + 1);
      1.8 +			dummy = g_new(char, msg->bodylen + 1);
      1.9  			memcpy(dummy, cur, msg->bodylen);
     1.10  			dummy[msg->bodylen] = '\0';
     1.11  			msg->body = dummy;
      2.1 --- a/libpurple/protocols/simple/sipmsg.c
      2.2 +++ b/libpurple/protocols/simple/sipmsg.c
      2.3 @@ -114,6 +114,11 @@
      2.4  	tmp2 = sipmsg_find_header(msg, "Content-Length");
      2.5  	if (tmp2 != NULL)
      2.6  		msg->bodylen = strtol(tmp2, NULL, 10);
      2.7 +	if (msg->bodylen < 0) {
      2.8 +		purple_debug_warning("simple", "Invalid body length: %d",
      2.9 +			msg->bodylen);
     2.10 +		msg->bodylen = 0;
     2.11 +	}
     2.12  
     2.13  	if(msg->response) {
     2.14  		tmp2 = sipmsg_find_header(msg, "CSeq");