# HG changeset patch
# User John Bailey <rekkanoryo@rekkanoryo.org>
# Date 1246128648 0
# Node ID 7f43d6779764b36345f59cd25e575ed483de5b7f
# Parent  916f266aca9883a260d5ce837e4af65bfdb66a87
Apply [9bac0a540156fb1848eedd61c8630737dee752c7] here as well.  I should
actually have committed this here first, then plucked to 2.5.8, but by the
time I realized this it was too late to fix.  Refs #9483.

diff -r 916f266aca98 -r 7f43d6779764 libpurple/protocols/oscar/bstream.c
--- a/libpurple/protocols/oscar/bstream.c	Sat Jun 27 17:50:49 2009 +0000
+++ b/libpurple/protocols/oscar/bstream.c	Sat Jun 27 18:50:48 2009 +0000
@@ -161,15 +161,19 @@
 	return aimutil_getle32(bs->data + bs->offset - 4);
 }
 
+static void byte_stream_getrawbuf_nocheck(ByteStream *bs, guint8 *buf, int len)
+{
+	memcpy(buf, bs->data + bs->offset, len);
+	bs->offset += len;
+}
+
 int byte_stream_getrawbuf(ByteStream *bs, guint8 *buf, int len)
 {
 
 	if (byte_stream_empty(bs) < len)
 		return 0;
 
-	memcpy(buf, bs->data + bs->offset, len);
-	bs->offset += len;
-
+	byte_stream_getrawbuf_nocheck(bs, buf, len);
 	return len;
 }
 
@@ -177,12 +181,12 @@
 {
 	guint8 *ob;
 
+	if (byte_stream_empty(bs) < len)
+		return NULL;
+
 	ob = g_malloc(len);
 
-	if (byte_stream_getrawbuf(bs, ob, len) < len) {
-		g_free(ob);
-		return NULL;
-	}
+	byte_stream_getrawbuf_nocheck(bs, ob, len);
 
 	return ob;
 }
@@ -191,12 +195,12 @@
 {
 	char *ob;
 
+	if (byte_stream_empty(bs) < len)
+		return NULL;
+
 	ob = g_malloc(len + 1);
 
-	if (byte_stream_getrawbuf(bs, (guint8 *)ob, len) < len) {
-		g_free(ob);
-		return NULL;
-	}
+	byte_stream_getrawbuf_nocheck(bs, (guint8 *)ob, len);
 
 	ob[len] = '\0';
 
diff -r 916f266aca98 -r 7f43d6779764 libpurple/protocols/oscar/oscar.c
--- a/libpurple/protocols/oscar/oscar.c	Sat Jun 27 17:50:49 2009 +0000
+++ b/libpurple/protocols/oscar/oscar.c	Sat Jun 27 18:50:48 2009 +0000
@@ -2905,9 +2905,15 @@
 			/* From libicq2000-0.3.2/src/ICQ.cpp */
 			byte_stream_init(&qbs, (guint8 *)args->msg, args->msglen);
 			byte_stream_advance(&qbs, 21);
+			/* expected:	01 00 00 20 00 0e 28 f6 00 11 e7 d3 11 bc f3 00 04 ac 96 9d c2 | 00 00 | 06 00 00 00 | 49 43 51 53 43 53 ...*/
+			/* unexpected:	00 00 26 00 81 1a 18 bc 0e 6c 18 47 a5 91 6f 18 dc c7 6f 1a | 00 00 | 0d 00 00 00 | 49 43 51 57 65 62 4d 65 73 73 61 67 65 ... */
 			smstype = byte_stream_getle16(&qbs);
+			if (smstype != 0)
+				break;
 			taglen = byte_stream_getle32(&qbs);
 			tagstr = byte_stream_getstr(&qbs, taglen);
+			if (tagstr == NULL)
+				break;
 			byte_stream_advance(&qbs, 3);
 			byte_stream_advance(&qbs, 4);
 			smslen = byte_stream_getle32(&qbs);