Mercurial > pidgin.yaz
changeset 14092:58c9f678b77a
[gaim-migrate @ 16717]
Fix a bug reported by Jon Oberheide. If there is an extra either 1
or 3 bytes on an incoming oscar message then our ICBM parser gets
into an infinite loop. This could open be caused by a malicious
server or a man-in-the-middle.
committer: Tailor Script <tailor@pidgin.im>
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Sat, 12 Aug 2006 10:59:13 +0000 |
| parents | ae4cbed1b309 |
| children | b9e9938b1afa |
| files | src/protocols/oscar/family_icbm.c |
| diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/protocols/oscar/family_icbm.c Sat Aug 12 10:27:29 2006 +0000 +++ b/src/protocols/oscar/family_icbm.c Sat Aug 12 10:59:13 2006 +0000 @@ -1588,7 +1588,7 @@ * I've changed it to process the TLVs in-place. This avoids lots * of per-IM memory allocations. */ - while (byte_stream_empty(bs)) + while (byte_stream_empty(bs) >= 4) { type = byte_stream_get16(bs); length = byte_stream_get16(bs);