Mercurial > pidgin.yaz
comparison libpurple/protocols/yahoo/libymsg.c @ 31053:943fce8ef142
Fix for CVE-2010-3711. Properly validate the return value from
purple_base64_decode() (the CVE issue) and purple_base16_decode() (just a bug).
Coincidentally, this should also fix #12614.
committer: John Bailey <rekkanoryo@rekkanoryo.org>
| author | Daniel Atallah <daniel.atallah@gmail.com> |
|---|---|
| date | Sun, 17 Oct 2010 03:55:04 +0000 |
| parents | 351d07aefb09 |
| children | 63b9cb97d356 86598f5d7ebd 41f1e44ad4b5 |
comparison
equal
deleted
inserted
replaced
| 31044:0050a61df60c | 31053:943fce8ef142 |
|---|---|
| 315 char *tmp; | 315 char *tmp; |
| 316 gsize len; | 316 gsize len; |
| 317 | 317 |
| 318 if (pair->value) { | 318 if (pair->value) { |
| 319 decoded = purple_base64_decode(pair->value, &len); | 319 decoded = purple_base64_decode(pair->value, &len); |
| 320 if (len) { | 320 if (decoded && len > 0) { |
| 321 tmp = purple_str_binary_to_ascii(decoded, len); | 321 tmp = purple_str_binary_to_ascii(decoded, len); |
| 322 purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp); | 322 purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp); |
| 323 g_free(tmp); | 323 g_free(tmp); |
| 324 } | 324 } |
| 325 g_free(decoded); | 325 g_free(decoded); |
| 2861 } | 2861 } |
| 2862 | 2862 |
| 2863 if (base64) { | 2863 if (base64) { |
| 2864 guint32 ip; | 2864 guint32 ip; |
| 2865 YahooFriend *f; | 2865 YahooFriend *f; |
| 2866 char *host_ip; | 2866 char *host_ip, *tmp; |
| 2867 struct yahoo_p2p_data *p2p_data; | 2867 struct yahoo_p2p_data *p2p_data; |
| 2868 | 2868 |
| 2869 decoded = purple_base64_decode(base64, &len); | 2869 decoded = purple_base64_decode(base64, &len); |
| 2870 if (len) { | 2870 if (decoded == NULL) { |
| 2871 char *tmp = purple_str_binary_to_ascii(decoded, len); | 2871 purple_debug_info("yahoo","p2p: Unable to decode base64 IP (%s) \n", base64); |
| 2872 purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp); | 2872 return; |
| 2873 g_free(tmp); | 2873 } |
| 2874 } | 2874 tmp = purple_str_binary_to_ascii(decoded, len); |
| 2875 purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp); | |
| 2876 g_free(tmp); | |
| 2875 | 2877 |
| 2876 ip = strtol((gchar *)decoded, NULL, 10); | 2878 ip = strtol((gchar *)decoded, NULL, 10); |
| 2877 g_free(decoded); | 2879 g_free(decoded); |
| 2878 host_ip = g_strdup_printf("%u.%u.%u.%u", ip & 0xff, (ip >> 8) & 0xff, (ip >> 16) & 0xff, | 2880 host_ip = g_strdup_printf("%u.%u.%u.%u", ip & 0xff, (ip >> 8) & 0xff, (ip >> 16) & 0xff, |
| 2879 (ip >> 24) & 0xff); | 2881 (ip >> 24) & 0xff); |