Mercurial > pidgin
comparison src/util.c @ 9804:fe268cb602cb
[gaim-migrate @ 10672]
Fix 2 insanely rare but maybe-still-possible buffer overflows.
committer: Tailor Script <tailor@pidgin.im>
author | Mark Doliner <mark@kingant.net> |
---|---|
date | Sat, 21 Aug 2004 20:11:42 +0000 |
parents | 3e7e294f56f3 |
children | 5206fb21e358 |
comparison
equal
deleted
inserted
replaced
9803:4d9d4940454b | 9804:fe268cb602cb |
---|---|
2614 /* If we can find a Content-Length header at all, try to sscanf it. | 2614 /* If we can find a Content-Length header at all, try to sscanf it. |
2615 * Response headers should end with at least \r\n, so sscanf is safe, | 2615 * Response headers should end with at least \r\n, so sscanf is safe, |
2616 * if we make sure that there is indeed a \n in our header. | 2616 * if we make sure that there is indeed a \n in our header. |
2617 */ | 2617 */ |
2618 if (p && g_strstr_len(p, data_len - (p - data), "\n")) { | 2618 if (p && g_strstr_len(p, data_len - (p - data), "\n")) { |
2619 sscanf(p, "Content-Length: %d", (int *)&content_len); | 2619 sscanf(p, "Content-Length: %ud", &content_len); |
2620 gaim_debug_misc("parse_content_len", "parsed %d\n", content_len); | 2620 gaim_debug_misc("parse_content_len", "parsed %d\n", content_len); |
2621 } | 2621 } |
2622 | 2622 |
2623 return content_len; | 2623 return content_len; |
2624 } | 2624 } |
2826 gaim_url_decode(const char *str) | 2826 gaim_url_decode(const char *str) |
2827 { | 2827 { |
2828 static char buf[BUF_LEN]; | 2828 static char buf[BUF_LEN]; |
2829 guint i, j = 0; | 2829 guint i, j = 0; |
2830 char *bum; | 2830 char *bum; |
2831 char hex[3]; | |
2831 | 2832 |
2832 g_return_val_if_fail(str != NULL, NULL); | 2833 g_return_val_if_fail(str != NULL, NULL); |
2833 | 2834 |
2835 /* | |
2836 * XXX - This check could be removed and buf could be made | |
2837 * dynamically allocated, but this is easier. | |
2838 */ | |
2839 if (strlen(str) >= BUF_LEN) | |
2840 return NULL; | |
2841 | |
2834 for (i = 0; i < strlen(str); i++) { | 2842 for (i = 0; i < strlen(str); i++) { |
2835 char hex[3]; | |
2836 | 2843 |
2837 if (str[i] != '%') | 2844 if (str[i] != '%') |
2838 buf[j++] = str[i]; | 2845 buf[j++] = str[i]; |
2839 else { | 2846 else { |
2840 strncpy(hex, str + ++i, 2); | 2847 strncpy(hex, str + ++i, 2); |