Fix a buffer overflow vulnerability when parsing incoming messages release-2.x.y
authorMark Doliner <mark@kingant.net>
Mon, 02 Jul 2012 18:54:06 -0700
branchrelease-2.x.y
changesetded93865ef42 pushlog
parent a5a5365dbaa5
child b0ac46e6bef2
Fix a buffer overflow vulnerability when parsing incoming messages
containing inline images. Thanks to Ulf Härnhammar for reporting
this!
ChangeLog
libpurple/protocols/mxit/markup.c
     1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -1,6 +1,6 @@
     1.4  Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
     1.5  
     1.6 -version 2.10.5:
     1.7 +version 2.10.5 (07/05/2012):
     1.8  	libpurple:
     1.9  	* Add support for GNOME3 proxy settings. (Mihai Serban) (#15054)
    1.10  
    1.11 @@ -12,6 +12,11 @@
    1.12  	* Fix building with MSVC on Windows (broken in 2.10.4). (Florian
    1.13  	  Quèze)
    1.14  
    1.15 +	MXit:
    1.16 +	* Fix a buffer overflow vulnerability when parsing incoming messages
    1.17 +	  containing inline images.  Thanks to Ulf Härnhammar for reporting
    1.18 +	  this!
    1.19 +
    1.20  version 2.10.4 (05/06/2012):
    1.21  	General:
    1.22  	* Support building against Farstream in addition to Farsight.
     2.1 --- a/libpurple/protocols/mxit/markup.c
     2.2 +++ b/libpurple/protocols/mxit/markup.c
     2.3 @@ -361,7 +361,7 @@
     2.4  	int					start;
     2.5  	unsigned int		end;
     2.6  	int					emo_ofs;
     2.7 -	char				ii[128];
     2.8 +	char*				ii;
     2.9  	char				tag[64];
    2.10  	int*				img_id;
    2.11  
    2.12 @@ -379,8 +379,7 @@
    2.13  			if ( end == mx->msg->len )			/* end of emoticon tag not found */
    2.14  				break;
    2.15  
    2.16 -			memset( ii, 0x00, sizeof( ii ) );
    2.17 -			memcpy( ii, &mx->msg->str[emo_ofs], end - emo_ofs );
    2.18 +			ii = g_strndup(&mx->msg->str[emo_ofs], end - emo_ofs);
    2.19  
    2.20  			/* remove inline image tag */
    2.21  			g_string_erase( mx->msg, start, ( end - start ) + 1 );
    2.22 @@ -396,6 +395,8 @@
    2.23  				g_snprintf( tag, sizeof( tag ), "<img id=\"%i\">", *img_id );
    2.24  				g_string_insert( mx->msg, start, tag );
    2.25  			}
    2.26 +
    2.27 +			g_free(ii);
    2.28  		}
    2.29  	}
    2.30