Mercurial > pidgin.yaz
comparison libpurple/protocols/yahoo/libymsg.c @ 31053:943fce8ef142
Fix for CVE-2010-3711. Properly validate the return value from
purple_base64_decode() (the CVE issue) and purple_base16_decode() (just a bug).
Coincidentally, this should also fix #12614.
committer: John Bailey <rekkanoryo@rekkanoryo.org>
author | Daniel Atallah <daniel.atallah@gmail.com> |
---|---|
date | Sun, 17 Oct 2010 03:55:04 +0000 |
parents | 351d07aefb09 |
children | 63b9cb97d356 86598f5d7ebd 41f1e44ad4b5 |
comparison
equal
deleted
inserted
replaced
31044:0050a61df60c | 31053:943fce8ef142 |
---|---|
315 char *tmp; | 315 char *tmp; |
316 gsize len; | 316 gsize len; |
317 | 317 |
318 if (pair->value) { | 318 if (pair->value) { |
319 decoded = purple_base64_decode(pair->value, &len); | 319 decoded = purple_base64_decode(pair->value, &len); |
320 if (len) { | 320 if (decoded && len > 0) { |
321 tmp = purple_str_binary_to_ascii(decoded, len); | 321 tmp = purple_str_binary_to_ascii(decoded, len); |
322 purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp); | 322 purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp); |
323 g_free(tmp); | 323 g_free(tmp); |
324 } | 324 } |
325 g_free(decoded); | 325 g_free(decoded); |
2861 } | 2861 } |
2862 | 2862 |
2863 if (base64) { | 2863 if (base64) { |
2864 guint32 ip; | 2864 guint32 ip; |
2865 YahooFriend *f; | 2865 YahooFriend *f; |
2866 char *host_ip; | 2866 char *host_ip, *tmp; |
2867 struct yahoo_p2p_data *p2p_data; | 2867 struct yahoo_p2p_data *p2p_data; |
2868 | 2868 |
2869 decoded = purple_base64_decode(base64, &len); | 2869 decoded = purple_base64_decode(base64, &len); |
2870 if (len) { | 2870 if (decoded == NULL) { |
2871 char *tmp = purple_str_binary_to_ascii(decoded, len); | 2871 purple_debug_info("yahoo","p2p: Unable to decode base64 IP (%s) \n", base64); |
2872 purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp); | 2872 return; |
2873 g_free(tmp); | 2873 } |
2874 } | 2874 tmp = purple_str_binary_to_ascii(decoded, len); |
2875 purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp); | |
2876 g_free(tmp); | |
2875 | 2877 |
2876 ip = strtol((gchar *)decoded, NULL, 10); | 2878 ip = strtol((gchar *)decoded, NULL, 10); |
2877 g_free(decoded); | 2879 g_free(decoded); |
2878 host_ip = g_strdup_printf("%u.%u.%u.%u", ip & 0xff, (ip >> 8) & 0xff, (ip >> 16) & 0xff, | 2880 host_ip = g_strdup_printf("%u.%u.%u.%u", ip & 0xff, (ip >> 8) & 0xff, (ip >> 16) & 0xff, |
2879 (ip >> 24) & 0xff); | 2881 (ip >> 24) & 0xff); |