Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004 release-2.x.y
authorTomasz Wasilczyk <twasilczyk@pidgin.im>
Fri, 10 Jan 2014 17:12:31 +0100
branchrelease-2.x.y
changeset6bd2dd10e5da pushlog
parent 89678e04a7ac
child dfe26ea283ee
Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004
libpurple/protocols/simple/simple.c
libpurple/protocols/simple/sipmsg.c
     1.1 --- a/libpurple/protocols/simple/simple.c
     1.2 +++ b/libpurple/protocols/simple/simple.c
     1.3 @@ -1640,7 +1640,7 @@
     1.4  		cur += 2;
     1.5  		restlen = conn->inbufused - (cur - conn->inbuf);
     1.6  		if(restlen >= msg->bodylen) {
     1.7 -			dummy = g_malloc(msg->bodylen + 1);
     1.8 +			dummy = g_new(char, msg->bodylen + 1);
     1.9  			memcpy(dummy, cur, msg->bodylen);
    1.10  			dummy[msg->bodylen] = '\0';
    1.11  			msg->body = dummy;
     2.1 --- a/libpurple/protocols/simple/sipmsg.c
     2.2 +++ b/libpurple/protocols/simple/sipmsg.c
     2.3 @@ -114,6 +114,11 @@
     2.4  	tmp2 = sipmsg_find_header(msg, "Content-Length");
     2.5  	if (tmp2 != NULL)
     2.6  		msg->bodylen = strtol(tmp2, NULL, 10);
     2.7 +	if (msg->bodylen < 0) {
     2.8 +		purple_debug_warning("simple", "Invalid body length: %d",
     2.9 +			msg->bodylen);
    2.10 +		msg->bodylen = 0;
    2.11 +	}
    2.12  
    2.13  	if(msg->response) {
    2.14  		tmp2 = sipmsg_find_header(msg, "CSeq");