Mercurial > pidgin.yaz
diff src/protocols/yahoo/yahoo.c @ 8118:52089b055c12
[gaim-migrate @ 8822]
"Hi over there... just found another overflow while creating
patches for gaim-cvs and 0.75 for all vulnerabilities I have
found. The new overflow is in gaim_url_parse a sscanf without
sizechecks into stackbuffers.
I think you can apply the patches directly and all vulnerabilities
are gone..." -- Stefan Esser
" Using 0.75, looking at the logs for conversations I've
had since upgrading, I discovered that the formating
(font, color, size) of the text was not showing up.
Looking at the actual HTML in the log files I discovered
that the use of tags has replaced with
tags and inline CSS, this formatting shows up fine when
viewing the logs using a browser such as Mozilla, but
not in the Gaim log viewer.
Here, I fixed my own bug in 0.75 and then fixed it in 0.76cvs
so I could give you the diff.
Actually tested it in 0.76cvs, apparently all the font handling
stuff is a bit screwy, but you might as well add my work so
when it's back to normal the log viewer is consistent with the
log files." --Douglas (douglaswth) Thrift
(18:10:53) Me: look at that html patch
(18:11:02) seanegn: I did last night
(18:11:06) Me: and?
(18:12:35) Me: can it go in?
(18:17:33) ***Me senses he is being ignored
(18:18:50) seanegn: haha, no.
(18:18:59) seanegn: It looked like it should be good. Do you want to
commit it?
(18:19:04) Me: i can do that yes
(18:19:14) Me: i'm looking at if the overflow patch compiles currently
(18:19:24) seanegn: do that one too
(18:19:27) Me: :-)
(18:19:48) seanegn: Why do I have a feeling that this conversation
(including this line) is going to be part of a commit log message?
(18:19:53) seanegn: Hi, gaim-commits!
(18:19:56) Me: lol
(18:20:25) Me: *inocently* would i do that?
(18:20:31) Me: :-P
committer: Tailor Script <tailor@pidgin.im>
| author | Luke Schierer <lschiere@pidgin.im> |
|---|---|
| date | Thu, 15 Jan 2004 23:26:07 +0000 |
| parents | d60272410bd5 |
| children | abbfed0b0050 |
line wrap: on
line diff
--- a/src/protocols/yahoo/yahoo.c Thu Jan 15 23:11:46 2004 +0000 +++ b/src/protocols/yahoo/yahoo.c Thu Jan 15 23:26:07 2004 +0000 @@ -131,8 +131,15 @@ while (pos + 1 < len) { if (data[pos] == 0xc0 && data[pos + 1] == 0x80) break; + if (x >= sizeof(key)-1) { + x++; + continue; + } key[x++] = data[pos++]; } + if (x >= sizeof(key)-1) { + x = 0; + } key[x] = 0; pos += 2; pair->key = strtol(key, NULL, 10); @@ -873,12 +880,13 @@ static char *yahoo_decode(const char *text) { char *converted; - char *p, *n, *new; + char *p, *n, *new, *end; int i; n = new = g_malloc(strlen (text) + 1); - - for (p = (char *)text; *p; p++, n++) { + end = text + strlen(text); + + for (p = (char *)text; p < end; p++, n++) { if (*p == '\\') { sscanf(p + 1, "%3o\n", &i); *n = (char)i; @@ -1908,20 +1916,27 @@ GaimConnection *gc = data; GaimAccount *account = gaim_connection_get_account(gc); struct yahoo_data *yd = gc->proto_data; - char buf[1024], buf2[256], *i = buf, *r = buf2; + char buf[1024], buf2[256], *i = buf, *r = buf2, *rend; int len, o = 0; - len = read(source, buf, sizeof(buf)); + len = read(source, buf, sizeof(buf)-1); if (len <= 0 || strncmp(buf, "HTTP/1.0 302", strlen("HTTP/1.0 302"))) { gaim_connection_error(gc, _("Unable to read")); return; } + buf[sizeof(buf)-1] = '\0'; + buf2[0] = '\0'; + rend = r + sizeof(buf2); - while ((i = strstr(i, "Set-Cookie: ")) && 0 < 2) { + while ((i = strstr(i, "Set-Cookie: ")) && o < 2) { i += strlen("Set-Cookie: "); - for (;*i != ';'; r++, i++) { + for (;*i != ';' && r < rend; r++, i++) { *r = *i; } + if (r >= rend-2) { + *r = '\0'; + r = buf2; + } *r=';'; r++; *r=' '; @@ -1929,7 +1944,9 @@ o++; } /* Get rid of that "; " */ - *(r-2) = '\0'; + if (r > buf2) { + *(r-2) = '\0'; + } yd->auth = g_strdup(buf2); gaim_input_remove(gc->inpa); close(source); @@ -1976,15 +1993,17 @@ const char *c = buf; char *d; char name[64], value[64]; + int count = sizeof(name)-1; while ((c < (buf + len)) && (c = strstr(c, "<input "))) { c = strstr(c, "name=\"") + strlen("name=\""); - for (d = name; *c!='"'; c++, d++) + for (d = name; *c!='"' && count; c++, d++, count--) *d = *c; *d = '\0'; + count = sizeof(value)-1; d = strstr(c, "value=\"") + strlen("value=\""); if (strchr(c, '>') < d) break; - for (c = d, d = value; *c!='"'; c++, d++) + for (c = d, d = value; *c!='"' && count; c++, d++, count--) *d = *c; *d = '\0'; g_hash_table_insert(hash, g_strdup(name), g_strdup(value));