pidgin: src/util.c comparison

[gaim-migrate @ 10672] Fix 2 insanely rare but maybe-still-possible buffer overflows. committer: Tailor Script <tailor@pidgin.im>

author	Mark Doliner <mark@kingant.net>
date	Sat, 21 Aug 2004 20:11:42 +0000
parents	3e7e294f56f3
children	5206fb21e358

comparison

equal deleted inserted replaced

-:4d9d4940454b
+:fe268cb602cb
 	/* If we can find a Content-Length header at all, try to sscanf it.
 	 * Response headers should end with at least \r\n, so sscanf is safe,
 	 * if we make sure that there is indeed a \n in our header.
 	 */
 	if (p && g_strstr_len(p, data_len - (p - data), "\n")) {
-		sscanf(p, "Content-Length: %d", (int *)&content_len);
+		sscanf(p, "Content-Length: %ud", &content_len);
 		gaim_debug_misc("parse_content_len", "parsed %d\n", content_len);
 	}
 	return content_len;
 }
 gaim_url_decode(const char *str)
 {
 	static char buf[BUF_LEN];
 	guint i, j = 0;
 	char *bum;
+	char hex[3];
 	g_return_val_if_fail(str != NULL, NULL);
+	/*
+	 * XXX - This check could be removed and buf could be made
+	 * dynamically allocated, but this is easier.
+	 */
+	if (strlen(str) >= BUF_LEN)
+		return NULL;
 	for (i = 0; i < strlen(str); i++) {
-		char hex[3];
 		if (str[i] != '%')
 			buf[j++] = str[i];
 		else {
 			strncpy(hex, str + ++i, 2);

Mercurial > pidgin