Mercurial > pidgin.yaz
comparison src/protocols/oscar/family_icbm.c @ 14092:58c9f678b77a
[gaim-migrate @ 16717]
Fix a bug reported by Jon Oberheide. If there is an extra either 1
or 3 bytes on an incoming oscar message then our ICBM parser gets
into an infinite loop. This could open be caused by a malicious
server or a man-in-the-middle.
committer: Tailor Script <tailor@pidgin.im>
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Sat, 12 Aug 2006 10:59:13 +0000 |
| parents | 6fc412e59214 |
| children |
comparison
equal
deleted
inserted
replaced
| 14091:ae4cbed1b309 | 14092:58c9f678b77a |
|---|---|
| 1586 /* | 1586 /* |
| 1587 * This used to be done using tlvchains. For performance reasons, | 1587 * This used to be done using tlvchains. For performance reasons, |
| 1588 * I've changed it to process the TLVs in-place. This avoids lots | 1588 * I've changed it to process the TLVs in-place. This avoids lots |
| 1589 * of per-IM memory allocations. | 1589 * of per-IM memory allocations. |
| 1590 */ | 1590 */ |
| 1591 while (byte_stream_empty(bs)) | 1591 while (byte_stream_empty(bs) >= 4) |
| 1592 { | 1592 { |
| 1593 type = byte_stream_get16(bs); | 1593 type = byte_stream_get16(bs); |
| 1594 length = byte_stream_get16(bs); | 1594 length = byte_stream_get16(bs); |
| 1595 | 1595 |
| 1596 if (length > byte_stream_empty(bs)) | 1596 if (length > byte_stream_empty(bs)) |