Fix a remotely-triggerable null pointer dereference. release-2.x.y
authorMark Doliner <mark@kingant.net>
Sat, 18 Jan 2014 09:01:20 -0800
branchrelease-2.x.y
changeset852014ae74a0 pushlog
parent 07e827917960
child 4d9be297d399
Fix a remotely-triggerable null pointer dereference.
ChangeLog
libpurple/conversation.c
libpurple/log.c
libpurple/server.c
      1.1 --- a/ChangeLog
      1.2 +++ b/ChangeLog
      1.3 @@ -95,6 +95,8 @@
      1.4  	  matches the 'to' address of the iq request. (Discovered by Fabian
      1.5  	  Yamaguchi and Christian Wressnegger of the University of Goettingen)
      1.6  	  (CVE-2013-6483)
      1.7 +	* Fix crash on some systems when receiving fake delay timestamps with
      1.8 +	  extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
      1.9  	* Fix possible crash or other erratic behavior when selecting a very
     1.10  	  small file for your own buddy icon.
     1.11  	* Fix crash if the user tries to initiate a voice/video session with a
      2.1 --- a/libpurple/conversation.c
      2.2 +++ b/libpurple/conversation.c
      2.3 @@ -1551,6 +1551,14 @@
      2.4  	if (purple_conv_chat_is_user_ignored(chat, who))
      2.5  		return;
      2.6  
      2.7 +	if (mtime < 0) {
      2.8 +		purple_debug_error("conversation",
      2.9 +				"purple_conv_chat_write ignoring negative timestamp\n");
     2.10 +		/* TODO: Would be more appropriate to use a value that indicates
     2.11 +		   that the timestamp is unknown, and surface that in the UI. */
     2.12 +		mtime = time(NULL);
     2.13 +	}
     2.14 +
     2.15  	if (!(flags & PURPLE_MESSAGE_WHISPER)) {
     2.16  		const char *str;
     2.17  
      3.1 --- a/libpurple/log.c
      3.2 +++ b/libpurple/log.c
      3.3 @@ -753,7 +753,7 @@
      3.4  {
      3.5  	gboolean show_date;
      3.6  	char *date;
      3.7 -	struct tm tm;
      3.8 +	struct tm *tm;
      3.9  
     3.10  	show_date = (log->type == PURPLE_LOG_SYSTEM) || (time(NULL) > when + 20*60);
     3.11  
     3.12 @@ -763,11 +763,11 @@
     3.13  	if (date != NULL)
     3.14  		return date;
     3.15  
     3.16 -	tm = *(localtime(&when));
     3.17 +	tm = localtime(&when);
     3.18  	if (show_date)
     3.19 -		return g_strdup(purple_date_format_long(&tm));
     3.20 +		return g_strdup(purple_date_format_long(tm));
     3.21  	else
     3.22 -		return g_strdup(purple_time_format(&tm));
     3.23 +		return g_strdup(purple_time_format(tm));
     3.24  }
     3.25  
     3.26  /* NOTE: This can return msg (which you may or may not want to g_free())
      4.1 --- a/libpurple/server.c
      4.2 +++ b/libpurple/server.c
      4.3 @@ -567,6 +567,14 @@
      4.4  
      4.5  	account  = purple_connection_get_account(gc);
      4.6  
      4.7 +	if (mtime < 0) {
      4.8 +		purple_debug_error("server",
      4.9 +				"serv_got_im ignoring negative timestamp\n");
     4.10 +		/* TODO: Would be more appropriate to use a value that indicates
     4.11 +		   that the timestamp is unknown, and surface that in the UI. */
     4.12 +		mtime = time(NULL);
     4.13 +	}
     4.14 +
     4.15  	/*
     4.16  	 * XXX: Should we be setting this here, or relying on prpls to set it?
     4.17  	 */
     4.18 @@ -905,6 +913,14 @@
     4.19  	g_return_if_fail(who != NULL);
     4.20  	g_return_if_fail(message != NULL);
     4.21  
     4.22 +	if (mtime < 0) {
     4.23 +		purple_debug_error("server",
     4.24 +				"serv_got_chat_in ignoring negative timestamp\n");
     4.25 +		/* TODO: Would be more appropriate to use a value that indicates
     4.26 +		   that the timestamp is unknown, and surface that in the UI. */
     4.27 +		mtime = time(NULL);
     4.28 +	}
     4.29 +
     4.30  	for (bcs = g->buddy_chats; bcs != NULL; bcs = bcs->next) {
     4.31  		conv = (PurpleConversation *)bcs->data;
     4.32