Mercurial > pidgin.yaz
comparison libpurple/protocols/qq/im.c @ 31053:943fce8ef142
Fix for CVE-2010-3711. Properly validate the return value from
purple_base64_decode() (the CVE issue) and purple_base16_decode() (just a bug).
Coincidentally, this should also fix #12614.
committer: John Bailey <rekkanoryo@rekkanoryo.org>
author | Daniel Atallah <daniel.atallah@gmail.com> |
---|---|
date | Sun, 17 Oct 2010 03:55:04 +0000 |
parents | 351d07aefb09 |
children | 4deef745de87 |
comparison
equal
deleted
inserted
replaced
31044:0050a61df60c | 31053:943fce8ef142 |
---|---|
545 { | 545 { |
546 qq_im_format *fmt; | 546 qq_im_format *fmt; |
547 const gchar *start, *end, *last; | 547 const gchar *start, *end, *last; |
548 GData *attribs; | 548 GData *attribs; |
549 gchar *tmp; | 549 gchar *tmp; |
550 unsigned char *rgb; | |
551 | 550 |
552 g_return_val_if_fail(msg != NULL, NULL); | 551 g_return_val_if_fail(msg != NULL, NULL); |
553 | 552 |
554 fmt = qq_im_fmt_new(); | 553 fmt = qq_im_fmt_new(); |
555 | 554 |
568 fmt->attr &= 0x0f; | 567 fmt->attr &= 0x0f; |
569 } | 568 } |
570 | 569 |
571 tmp = g_datalist_get_data(&attribs, "color"); | 570 tmp = g_datalist_get_data(&attribs, "color"); |
572 if (tmp && strlen(tmp) > 1) { | 571 if (tmp && strlen(tmp) > 1) { |
573 rgb = purple_base16_decode(tmp + 1, NULL); | 572 unsigned char *rgb; |
574 g_memmove(fmt->rgb, rgb, 3); | 573 gsize rgb_len; |
574 rgb = purple_base16_decode(tmp + 1, &rgb_len); | |
575 if (rgb != NULL && rgb_len >= 3) | |
576 g_memmove(fmt->rgb, rgb, 3); | |
575 g_free(rgb); | 577 g_free(rgb); |
576 } | 578 } |
577 | 579 |
578 g_datalist_clear(&attribs); | 580 g_datalist_clear(&attribs); |
579 last = end + 1; | 581 last = end + 1; |