Mercurial > pidgin.yaz
comparison src/protocols/oscar/family_icbm.c @ 14092:58c9f678b77a
[gaim-migrate @ 16717]
Fix a bug reported by Jon Oberheide. If there is an extra either 1
or 3 bytes on an incoming oscar message then our ICBM parser gets
into an infinite loop. This could open be caused by a malicious
server or a man-in-the-middle.
committer: Tailor Script <tailor@pidgin.im>
author | Mark Doliner <mark@kingant.net> |
---|---|
date | Sat, 12 Aug 2006 10:59:13 +0000 |
parents | 6fc412e59214 |
children |
comparison
equal
deleted
inserted
replaced
14091:ae4cbed1b309 | 14092:58c9f678b77a |
---|---|
1586 /* | 1586 /* |
1587 * This used to be done using tlvchains. For performance reasons, | 1587 * This used to be done using tlvchains. For performance reasons, |
1588 * I've changed it to process the TLVs in-place. This avoids lots | 1588 * I've changed it to process the TLVs in-place. This avoids lots |
1589 * of per-IM memory allocations. | 1589 * of per-IM memory allocations. |
1590 */ | 1590 */ |
1591 while (byte_stream_empty(bs)) | 1591 while (byte_stream_empty(bs) >= 4) |
1592 { | 1592 { |
1593 type = byte_stream_get16(bs); | 1593 type = byte_stream_get16(bs); |
1594 length = byte_stream_get16(bs); | 1594 length = byte_stream_get16(bs); |
1595 | 1595 |
1596 if (length > byte_stream_empty(bs)) | 1596 if (length > byte_stream_empty(bs)) |