# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1155380353 0
# Node ID 58c9f678b77a43f939181b7d7579a4c2fe23a75d
# Parent  ae4cbed1b309a10cfca88883dcce34575d4c137e
[gaim-migrate @ 16717]
Fix a bug reported by Jon Oberheide.  If there is an extra either 1
or 3 bytes on an incoming oscar message then our ICBM parser gets
into an infinite loop.  This could open be caused by a malicious
server or a man-in-the-middle.

committer: Tailor Script <tailor@pidgin.im>

diff -r ae4cbed1b309 -r 58c9f678b77a src/protocols/oscar/family_icbm.c
--- a/src/protocols/oscar/family_icbm.c	Sat Aug 12 10:27:29 2006 +0000
+++ b/src/protocols/oscar/family_icbm.c	Sat Aug 12 10:59:13 2006 +0000
@@ -1588,7 +1588,7 @@
 	 * I've changed it to process the TLVs in-place.  This avoids lots
 	 * of per-IM memory allocations.
 	 */
-	while (byte_stream_empty(bs))
+	while (byte_stream_empty(bs) >= 4)
 	{
 		type = byte_stream_get16(bs);
 		length = byte_stream_get16(bs);