# HG changeset patch # User Daniel Atallah # Date 1118266883 0 # Node ID 771c510655c77dcb3d30261adbdb92160b433800 # Parent 842a21e7480bd8421f96252ae4f468e1ce69e73a [gaim-migrate @ 12812] Fix a leak and some other issues caused by malformed messages. committer: Tailor Script diff -r 842a21e7480b -r 771c510655c7 src/protocols/msn/msg.c --- a/src/protocols/msn/msg.c Wed Jun 08 06:28:47 2005 +0000 +++ b/src/protocols/msn/msg.c Wed Jun 08 21:41:23 2005 +0000 @@ -205,7 +205,10 @@ /* TODO? some clients use \r delimiters instead of \r\n, the official client * doesn't send such messages, but does handle receiving them. We'll just * avoid crashing for now */ - g_return_if_fail(end != NULL); + if (end == NULL) { + g_free(tmp_base); + g_return_if_reached(); + } *end = '\0'; elems = g_strsplit(tmp, "\r\n", 0); @@ -252,6 +255,7 @@ g_strfreev(elems); + /* Proceed to the end of the "\r\n\r\n" */ tmp = end + 4; /* Now we *should* be at the body. */ @@ -262,6 +266,12 @@ { MsnSlpHeader header; MsnSlpFooter footer; + int body_len; + + if (payload_len - (tmp - tmp_base) < sizeof(header)) { + g_free(tmp_base); + g_return_if_reached(); + } msg->msnslp_message = TRUE; @@ -279,24 +289,28 @@ msg->msnslp_header.ack_sub_id = GUINT32_FROM_LE(header.ack_sub_id); msg->msnslp_header.ack_size = GUINT64_FROM_LE(header.ack_size); - /* Import the body. */ - msg->body_len = payload_len - (tmp - tmp_base) - sizeof(footer); + body_len = payload_len - (tmp - tmp_base) - sizeof(footer); - if (msg->body_len > 0) + /* Import the body. */ + if (body_len > 0) { + msg->body_len = body_len; msg->body = g_memdup(tmp, msg->body_len); - - tmp += msg->body_len; + tmp += body_len; + } /* Import the footer. */ - memcpy(&footer, tmp, sizeof(footer)); - tmp += sizeof(footer); - - msg->msnslp_footer.value = GUINT32_FROM_BE(footer.value); + if (body_len >= 0) { + memcpy(&footer, tmp, sizeof(footer)); + tmp += sizeof(footer); + msg->msnslp_footer.value = GUINT32_FROM_BE(footer.value); + } } else { - msg->body_len = payload_len - (tmp - tmp_base); - msg->body = g_memdup(tmp, msg->body_len); + if (payload_len - (tmp - tmp_base) > 0) { + msg->body_len = payload_len - (tmp - tmp_base); + msg->body = g_memdup(tmp, msg->body_len); + } } g_free(tmp_base);