Mercurial > pidgin.yaz
changeset 9804:fe268cb602cb
[gaim-migrate @ 10672]
Fix 2 insanely rare but maybe-still-possible buffer overflows.
committer: Tailor Script <tailor@pidgin.im>
author | Mark Doliner <mark@kingant.net> |
---|---|
date | Sat, 21 Aug 2004 20:11:42 +0000 |
parents | 4d9d4940454b |
children | ccf5a52730b9 |
files | src/protocols/novell/nmrtf.c src/util.c |
diffstat | 2 files changed, 18 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/src/protocols/novell/nmrtf.c Sat Aug 21 17:46:14 2004 +0000 +++ b/src/protocols/novell/nmrtf.c Sat Aug 21 20:11:42 2004 +0000 @@ -506,9 +506,9 @@ gboolean param_set = FALSE; gboolean is_neg = FALSE; int param = 0; - char *pch; char keyword[30]; char parameter[20]; + int i; keyword[0] = '\0'; parameter[0] = '\0'; @@ -523,11 +523,11 @@ } /* parse keyword */ - for (pch = keyword; isalpha(ch); rtf_get_char(ctx, &ch)) { - *pch = (char) ch; - pch++; + for (i = 0; isalpha(ch) && (i < sizeof(keyword) - 1); rtf_get_char(ctx, &ch)) { + keyword[i] = (char) ch; + i++; } - *pch = '\0'; + keyword[i] = '\0'; /* check for '-' indicated a negative parameter value */ if (ch == '-') { @@ -540,11 +540,11 @@ if (isdigit(ch)) { param_set = TRUE; - for (pch = parameter; isdigit(ch); rtf_get_char(ctx, &ch)) { - *pch = (char) ch; - pch++; + for (i = 0; isdigit(ch) && (i < sizeof(parameter) - 1); rtf_get_char(ctx, &ch)) { + parameter[i] = (char) ch; + i++; } - *pch = '\0'; + parameter[i] = '\0'; ctx->param = param = atoi(parameter); if (is_neg)
--- a/src/util.c Sat Aug 21 17:46:14 2004 +0000 +++ b/src/util.c Sat Aug 21 20:11:42 2004 +0000 @@ -2616,7 +2616,7 @@ * if we make sure that there is indeed a \n in our header. */ if (p && g_strstr_len(p, data_len - (p - data), "\n")) { - sscanf(p, "Content-Length: %d", (int *)&content_len); + sscanf(p, "Content-Length: %ud", &content_len); gaim_debug_misc("parse_content_len", "parsed %d\n", content_len); } @@ -2828,11 +2828,18 @@ static char buf[BUF_LEN]; guint i, j = 0; char *bum; + char hex[3]; g_return_val_if_fail(str != NULL, NULL); + /* + * XXX - This check could be removed and buf could be made + * dynamically allocated, but this is easier. + */ + if (strlen(str) >= BUF_LEN) + return NULL; + for (i = 0; i < strlen(str); i++) { - char hex[3]; if (str[i] != '%') buf[j++] = str[i];