1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -39,6 +39,9 @@
     1.4  	MXit:
     1.5  	* Fix a bug where a remote MXit user could possibly specify a local
     1.6  	  file path to be written to. (CVE-2013-0271)
     1.7 +	* Fix a bug where the MXit server or a man-in-the-middle could
     1.8 +	  potentially send specially crafted data that could overflow a buffer
     1.9 +	  and lead to a crash or remote code execution. (CVE-2013-0272)
    1.10  	* Display farewell messages in a different colour to distinguish
    1.11  	  them from normal messages.
    1.12  	* Add support for typing notification.

     2.1 --- a/libpurple/protocols/mxit/http.c
     2.2 +++ b/libpurple/protocols/mxit/http.c
     2.3 @@ -116,11 +116,12 @@
     2.4  		buflen = session->rx_i;
     2.5  
     2.6  		/* read bytes from the socket */
     2.7 -		len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
     2.8 +		len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
     2.9  		if ( len <= 0 ) {
    2.10  			/* connection has been terminated, or error occurred */
    2.11  			goto done;
    2.12  		}
    2.13 +		buf[buflen+len] = '\0';
    2.14  
    2.15  //nextpacket:
    2.16  
    2.17 @@ -181,7 +182,11 @@
    2.18  		g_free( tmp );
    2.19  		tmp = NULL;
    2.20  
    2.21 -		if ( buflen > ( ( body - buf ) + bodylen ) ) {
    2.22 +		if ( buflen + bodylen >= CP_MAX_PACKET ) {
    2.23 +			/* this packet is way to big */
    2.24 +			goto done;
    2.25 +		}
    2.26 +		else if ( buflen > ( ( body - buf ) + bodylen ) ) {
    2.27  			/* we have a second packet here */
    2.28  			next = body + bodylen;
    2.29  			session->rx_res = 0;