Correct HTTP chunked transfers code (not fixed in rev ebe3fb4a3bc2) release-2.x.y
authorTomasz Wasilczyk <tomkiewicz@cpw.pidgin.im>
Tue, 20 Aug 2013 17:36:14 +0200
branchrelease-2.x.y
changesetc9e5aba2dafd pushlog
parent e111ec8dcb3f
child 4180f5333fab
Correct HTTP chunked transfers code (not fixed in rev ebe3fb4a3bc2)
libpurple/util.c
      1.1 --- a/libpurple/util.c
      1.2 +++ b/libpurple/util.c
      1.3 @@ -37,6 +37,8 @@
      1.4     specified a length) */
      1.5  #define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
      1.6  
      1.7 +#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
      1.8 +
      1.9  struct _PurpleUtilFetchUrlData
     1.10  {
     1.11  	PurpleUtilFetchUrlCallback callback;
     1.12 @@ -3781,11 +3783,12 @@
     1.13  			break;
     1.14  		s += 2;
     1.15  
     1.16 -		if (s + sz > data + *len) {
     1.17 +		if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
     1.18  			purple_debug_error("util", "Error processing chunked data: "
     1.19  					"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
     1.20  					"than the data remaining in the buffer (%"
     1.21  					G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
     1.22 +			break;
     1.23  		}
     1.24  
     1.25  		/* Move all data overtop of the chunk length that we read in earlier */
     1.26 @@ -3793,7 +3796,7 @@
     1.27  		p += sz;
     1.28  		s += sz;
     1.29  		newlen += sz;
     1.30 -		if (*s != '\r' && *(s + 1) != '\n') {
     1.31 +		if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
     1.32  			purple_debug_error("util", "Error processing chunked data: "
     1.33  					"Expected \\r\\n, found: %s\n", s);
     1.34  			break;