[gaim-migrate @ 8822] "Hi over there... just found another overflow while creating patches for gaim-cvs and 0.75 for all vulnerabilities I have found. The new overflow is in gaim_url_parse a sscanf without sizechecks into stackbuffers. I think you can apply the patches directly and all vulnerabilities are gone..." -- Stefan Esser " Using 0.75, looking at the logs for conversations I've had since upgrading, I discovered that the formating (font, color, size) of the text was not showing up. Looking at the actual HTML in the log files I discovered that the use of tags has replaced with tags and inline CSS, this formatting shows up fine when viewing the logs using a browser such as Mozilla, but not in the Gaim log viewer. Here, I fixed my own bug in 0.75 and then fixed it in 0.76cvs so I could give you the diff. Actually tested it in 0.76cvs, apparently all the font handling stuff is a bit screwy, but you might as well add my work so when it's back to normal the log viewer is consistent with the log files." --Douglas (douglaswth) Thrift (18:10:53) Me: look at that html patch (18:11:02) seanegn: I did last night (18:11:06) Me: and? (18:12:35) Me: can it go in? (18:17:33) ***Me senses he is being ignored (18:18:50) seanegn: haha, no. (18:18:59) seanegn: It looked like it should be good. Do you want to commit it? (18:19:04) Me: i can do that yes (18:19:14) Me: i'm looking at if the overflow patch compiles currently (18:19:24) seanegn: do that one too (18:19:27) Me: :-) (18:19:48) seanegn: Why do I have a feeling that this conversation (including this line) is going to be part of a commit log message? (18:19:53) seanegn: Hi, gaim-commits! (18:19:56) Me: lol (18:20:25) Me: *inocently* would i do that? (18:20:31) Me: :-P committer: Tailor Script <tailor@pidgin.im>

--- a/src/util.c	Thu Jan 15 23:11:46 2004 +0000
+++ b/src/util.c	Thu Jan 15 23:26:07 2004 +0000
@@ -250,12 +250,13 @@
 void
 gaim_quotedp_decode(const char *str, char **ret_str, int *ret_len)
 {
-	char *p, *n, *new;
+	char *p, *n, *new, *end;
 	int i;
 
 	n = new = g_malloc(strlen (str) + 1);
+	end = str + strlen(str);
 
-	for (p = (char *)str; *p; p++, n++) {
+	for (p = (char *)str; p < end; p++, n++) {
 		if (*p == '=') {
 			sscanf(p + 1, "%2x\n", &i);
 			*n = (char)i;
@@ -1890,7 +1891,7 @@
 			   char **ret_path)
 {
 	char scan_info[255];
-	char port_str[5];
+	char port_str[6];
 	int f;
 	const char *turl;
 	char host[256], path[256];
@@ -1910,14 +1911,14 @@
 	}
 
 	g_snprintf(scan_info, sizeof(scan_info),
-			   "%%[%s]:%%[%s]/%%[%s]", addr_ctrl, port_ctrl, page_ctrl);
+			   "%%255[%s]:%%5[%s]/%%255[%s]", addr_ctrl, port_ctrl, page_ctrl);
 
 	f = sscanf(url, scan_info, host, port_str, path);
 
 	if (f == 1)
 	{
 		g_snprintf(scan_info, sizeof(scan_info),
-				   "%%[%s]/%%[%s]",
+				   "%%255[%s]/%%255[%s]",
 				   addr_ctrl, page_ctrl);
 		f = sscanf(url, scan_info, host, path);
 		g_snprintf(port_str, sizeof(port_str), "80");