# HG changeset patch # User Mark Doliner # Date 1281462787 0 # Node ID a4d7d154d00d5ebe03022d5d76595f0e1b24daad # Parent d48ae82c58ac8b6fe28a6672cd3adb691aec5589 *** Plucked rev 7e159eaa14b0041fcc3ee5783cd1e4f2d039a1a1 (markdoliner@pidgin.im): Fix a crash bug in oscar related to trying to allocate too much memory. This was reported to our security mailing list by Jan Kaluza The Great. I honestly couldn't figure out how to repro this crash, so I've been considering it as not a remote-crash security problem, so I chose to skip the CVE process for this. *** Plucked rev 5f40454216dc36a3276e369a5b9483d6bddc13f2 (markdoliner@pidgin.im): Make these unsigned, in case someone figures out how to actually send one of these and somehow manages to use a negative number. Pointed out by Yuriy M. Kaminskiy. Thanks, Yuriy! diff -r d48ae82c58ac -r a4d7d154d00d libpurple/protocols/oscar/oscar.c --- a/libpurple/protocols/oscar/oscar.c Tue Aug 10 17:09:32 2010 +0000 +++ b/libpurple/protocols/oscar/oscar.c Tue Aug 10 17:53:07 2010 +0000 @@ -1985,7 +1985,8 @@ case 0x1a: { /* Handle SMS or someone has sent you a greeting card or requested buddies? */ ByteStream qbs; - int smstype, taglen, smslen; + guint16 smstype; + guint32 taglen, smslen; char *tagstr = NULL, *smsmsg = NULL; xmlnode *xmlroot = NULL, *xmltmp = NULL; gchar *uin = NULL, *message = NULL; @@ -1999,12 +2000,23 @@ if (smstype != 0) break; taglen = byte_stream_getle32(&qbs); + if (taglen > 2000) { + /* Avoid trying to allocate large amounts of memory, in + case we get something unexpected. */ + break; + } tagstr = byte_stream_getstr(&qbs, taglen); if (tagstr == NULL) break; byte_stream_advance(&qbs, 3); byte_stream_advance(&qbs, 4); smslen = byte_stream_getle32(&qbs); + if (smslen > 2000) { + /* Avoid trying to allocate large amounts of memory, in + case we get something unexpected. */ + g_free(tagstr); + break; + } smsmsg = byte_stream_getstr(&qbs, smslen); /* Check if this is an SMS being sent from server */