# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1279681071 0
# Node ID 5884388dfd065b42e0db3e9b1fbfd8f0b96d3e15
# Parent  6829b27ee4c836a7a4e4618ef56153452a8d75ab
Fix a crash bug in oscar related to trying to allocate too much memory.
This was reported to our security mailing list by Jan Kaluza The Great.
I honestly couldn't figure out how to repro this crash, so I've been
considering it as not a remote-crash security problem, so I chose to
skip the CVE process for this.

diff -r 6829b27ee4c8 -r 5884388dfd06 libpurple/protocols/oscar/oscar.c
--- a/libpurple/protocols/oscar/oscar.c	Wed Jul 21 02:49:23 2010 +0000
+++ b/libpurple/protocols/oscar/oscar.c	Wed Jul 21 02:57:51 2010 +0000
@@ -3028,12 +3028,23 @@
 			if (smstype != 0)
 				break;
 			taglen = byte_stream_getle32(&qbs);
+			if (taglen > 2000) {
+				/* Avoid trying to allocate large amounts of memory, in
+				   case we get something unexpected. */
+				break;
+			}
 			tagstr = byte_stream_getstr(&qbs, taglen);
 			if (tagstr == NULL)
 				break;
 			byte_stream_advance(&qbs, 3);
 			byte_stream_advance(&qbs, 4);
 			smslen = byte_stream_getle32(&qbs);
+			if (smslen > 2000) {
+				/* Avoid trying to allocate large amounts of memory, in
+				   case we get something unexpected. */
+				g_free(tagstr);
+				break;
+			}
 			smsmsg = byte_stream_getstr(&qbs, smslen);
 
 			/* Check if this is an SMS being sent from server */