Fix CVE-2010-0423, a denial of service attack due to the parsing
authorMark Doliner <markdoliner@pidgin.im>
Tue, 16 Feb 2010 09:02:23 +0000
changeseta783b23a05da pushlog
parent 6c8add94b5a4
child 41919b7e238a
Fix CVE-2010-0423, a denial of service attack due to the parsing
of large numbers of smileys. (Discovered by Antti Hayrynen)
ChangeLog
pidgin/gtkimhtml.c
     1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -27,7 +27,7 @@
     1.4  
     1.5  	MSN:
     1.6  	* Fix CVE-2010-0277, a possible remote crash when parsing an incoming
     1.7 -	  SLP message.  Discovered by Fabian Yamaguchi.
     1.8 +	  SLP message.  (Discovered by Fabian Yamaguchi)
     1.9  	* File transfer requests will no longer cause a crash if you delete the
    1.10  	  file before the other side accepts.
    1.11  	* Received files will no longer hold an extra lock after completion,
    1.12 @@ -74,6 +74,8 @@
    1.13  	  Mohta)
    1.14  
    1.15  	Pidgin:
    1.16 +	* Fix CVE-2010-0423, a denial of service attack due to the parsing
    1.17 +	  of large numbers of smileys.  (Discovered by Antti Hayrynen)
    1.18  	* Correctly size conversation and status box entries when the
    1.19  	  interior-focus style property is diabled. (Gabriel Schulhof)
    1.20  	* Correctly handle a multiline text field being required in a
     2.1 --- a/pidgin/gtkimhtml.c
     2.2 +++ b/pidgin/gtkimhtml.c
     2.3 @@ -2222,21 +2222,6 @@
     2.4  	return smiley->icon;
     2.5  }
     2.6  
     2.7 -static GdkPixbufAnimation *
     2.8 -gtk_smiley_tree_image (GtkIMHtml     *imhtml,
     2.9 -		       const gchar   *sml,
    2.10 -		       const gchar   *text)
    2.11 -{
    2.12 -	GtkIMHtmlSmiley *smiley;
    2.13 -
    2.14 -	smiley = gtk_imhtml_smiley_get(imhtml,sml,text);
    2.15 -
    2.16 -	if (!smiley)
    2.17 -		return NULL;
    2.18 -
    2.19 -	return gtk_smiley_get_image(smiley);
    2.20 -}
    2.21 -
    2.22  #define VALID_TAG(x)	do { \
    2.23  			if (!g_ascii_strncasecmp (string, x ">", strlen (x ">"))) {	\
    2.24  				if (tag) *tag = g_strndup (string, strlen (x));		\
    2.25 @@ -2695,6 +2680,8 @@
    2.26  	ws = g_malloc(len + 1);
    2.27  	ws[0] = '\0';
    2.28  
    2.29 +	g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(0));
    2.30 +
    2.31  	gtk_text_buffer_begin_user_action(imhtml->text_buffer);
    2.32  	while (pos < len) {
    2.33  		if (*c == '<' && gtk_imhtml_is_tag (c + 1, &tag, &tlen, &type)) {
    2.34 @@ -3547,6 +3534,8 @@
    2.35  	}
    2.36  	gtk_text_buffer_delete(imhtml->text_buffer, start, end);
    2.37  
    2.38 +	g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(0));
    2.39 +
    2.40  	g_object_unref(object);
    2.41  }
    2.42  
    2.43 @@ -4983,12 +4972,33 @@
    2.44  	GdkPixbufAnimation *annipixbuf = NULL;
    2.45  	GtkWidget *icon = NULL;
    2.46  	GtkTextChildAnchor *anchor = NULL;
    2.47 -	char *unescaped = purple_unescape_html(smiley);
    2.48 -	GtkIMHtmlSmiley *imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped);
    2.49 +	char *unescaped;
    2.50 +	GtkIMHtmlSmiley *imhtml_smiley;
    2.51  	GtkWidget *ebox = NULL;
    2.52 +	int numsmileys_thismsg, numsmileys_total;
    2.53 +
    2.54 +	/*
    2.55 +	 * This GtkIMHtml has the maximum number of smileys allowed, so don't
    2.56 +	 * add any more.  We do this for performance reasons, because smileys
    2.57 +	 * are apparently pretty inefficient.  Hopefully we can remove this
    2.58 +	 * restriction when we're using a better HTML widget.
    2.59 +	 */
    2.60 +	numsmileys_thismsg = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg"));
    2.61 +	if (numsmileys_thismsg >= 30) {
    2.62 +		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
    2.63 +		return;
    2.64 +	}
    2.65 +	numsmileys_total = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total"));
    2.66 +	if (numsmileys_total >= 300) {
    2.67 +		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
    2.68 +		return;
    2.69 +	}
    2.70 +
    2.71 +	unescaped = purple_unescape_html(smiley);
    2.72 +	imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped);
    2.73  
    2.74  	if (imhtml->format_functions & GTK_IMHTML_SMILEY) {
    2.75 -		annipixbuf = gtk_smiley_tree_image(imhtml, sml, unescaped);
    2.76 +		annipixbuf = imhtml_smiley ? gtk_smiley_get_image(imhtml_smiley) : NULL;
    2.77  		if (annipixbuf) {
    2.78  			if (gdk_pixbuf_animation_is_static_image(annipixbuf)) {
    2.79  				pixbuf = gdk_pixbuf_animation_get_static_image(annipixbuf);
    2.80 @@ -5042,6 +5052,9 @@
    2.81  		if (ebox)
    2.82  			gtk_container_add(GTK_CONTAINER(ebox), icon);
    2.83  		gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox ? ebox : icon, anchor);
    2.84 +
    2.85 +		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1));
    2.86 +		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1));
    2.87  	} else if (imhtml_smiley != NULL && (imhtml->format_functions & GTK_IMHTML_SMILEY)) {
    2.88  		anchor = gtk_text_buffer_create_child_anchor(imhtml->text_buffer, iter);
    2.89  		imhtml_smiley->anchors = g_slist_append(imhtml_smiley->anchors, g_object_ref(anchor));
    2.90 @@ -5054,6 +5067,9 @@
    2.91  			g_object_set_data_full(G_OBJECT(anchor), "gtkimhtml_htmltext", g_strdup(smiley), g_free);
    2.92  			gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox, anchor);
    2.93  		}
    2.94 +
    2.95 +		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1));
    2.96 +		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1));
    2.97  	} else {
    2.98  		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
    2.99  	}