Mercurial > pidgin.yaz
comparison libpurple/protocols/qq/im.c @ 31053:943fce8ef142
Fix for CVE-2010-3711. Properly validate the return value from
purple_base64_decode() (the CVE issue) and purple_base16_decode() (just a bug).
Coincidentally, this should also fix #12614.
committer: John Bailey <rekkanoryo@rekkanoryo.org>
| author | Daniel Atallah <daniel.atallah@gmail.com> |
|---|---|
| date | Sun, 17 Oct 2010 03:55:04 +0000 |
| parents | 351d07aefb09 |
| children | 4deef745de87 |
comparison
equal
deleted
inserted
replaced
| 31044:0050a61df60c | 31053:943fce8ef142 |
|---|---|
| 545 { | 545 { |
| 546 qq_im_format *fmt; | 546 qq_im_format *fmt; |
| 547 const gchar *start, *end, *last; | 547 const gchar *start, *end, *last; |
| 548 GData *attribs; | 548 GData *attribs; |
| 549 gchar *tmp; | 549 gchar *tmp; |
| 550 unsigned char *rgb; | |
| 551 | 550 |
| 552 g_return_val_if_fail(msg != NULL, NULL); | 551 g_return_val_if_fail(msg != NULL, NULL); |
| 553 | 552 |
| 554 fmt = qq_im_fmt_new(); | 553 fmt = qq_im_fmt_new(); |
| 555 | 554 |
| 568 fmt->attr &= 0x0f; | 567 fmt->attr &= 0x0f; |
| 569 } | 568 } |
| 570 | 569 |
| 571 tmp = g_datalist_get_data(&attribs, "color"); | 570 tmp = g_datalist_get_data(&attribs, "color"); |
| 572 if (tmp && strlen(tmp) > 1) { | 571 if (tmp && strlen(tmp) > 1) { |
| 573 rgb = purple_base16_decode(tmp + 1, NULL); | 572 unsigned char *rgb; |
| 574 g_memmove(fmt->rgb, rgb, 3); | 573 gsize rgb_len; |
| 574 rgb = purple_base16_decode(tmp + 1, &rgb_len); | |
| 575 if (rgb != NULL && rgb_len >= 3) | |
| 576 g_memmove(fmt->rgb, rgb, 3); | |
| 575 g_free(rgb); | 577 g_free(rgb); |
| 576 } | 578 } |
| 577 | 579 |
| 578 g_datalist_clear(&attribs); | 580 g_datalist_clear(&attribs); |
| 579 last = end + 1; | 581 last = end + 1; |