Correct HTTP chunked transfers code (not fixed in rev ebe3fb4a3bc2) release-2.x.y
authorTomasz Wasilczyk <tomkiewicz@cpw.pidgin.im>
Tue, 20 Aug 2013 17:36:14 +0200
branchrelease-2.x.y
changesetc9e5aba2dafd pushlog
parent e111ec8dcb3f
child 4180f5333fab
Correct HTTP chunked transfers code (not fixed in rev ebe3fb4a3bc2)
libpurple/util.c
     1.1 --- a/libpurple/util.c
     1.2 +++ b/libpurple/util.c
     1.3 @@ -37,6 +37,8 @@
     1.4     specified a length) */
     1.5  #define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
     1.6  
     1.7 +#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
     1.8 +
     1.9  struct _PurpleUtilFetchUrlData
    1.10  {
    1.11  	PurpleUtilFetchUrlCallback callback;
    1.12 @@ -3781,11 +3783,12 @@
    1.13  			break;
    1.14  		s += 2;
    1.15  
    1.16 -		if (s + sz > data + *len) {
    1.17 +		if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
    1.18  			purple_debug_error("util", "Error processing chunked data: "
    1.19  					"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
    1.20  					"than the data remaining in the buffer (%"
    1.21  					G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
    1.22 +			break;
    1.23  		}
    1.24  
    1.25  		/* Move all data overtop of the chunk length that we read in earlier */
    1.26 @@ -3793,7 +3796,7 @@
    1.27  		p += sz;
    1.28  		s += sz;
    1.29  		newlen += sz;
    1.30 -		if (*s != '\r' && *(s + 1) != '\n') {
    1.31 +		if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
    1.32  			purple_debug_error("util", "Error processing chunked data: "
    1.33  					"Expected \\r\\n, found: %s\n", s);
    1.34  			break;