# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1226992609 0
# Node ID caf82c1cebf2ceda1a5af7dd4681aac543bfa882
# Parent  8de8ca65e1d98db9494a5b021d702a19f7e72d43
I've seen this crash a few times where cmd->param_count is 4 and
we try to access params[4] which is invalid.

The backtrace is:
#0  0x0000003c4c4341ca in ____strtoll_l_internal () from /lib64/libc.so.6
#1  0x0000003c4c431ab2 in atoi () from /lib64/libc.so.6
#2  0x00000000005f0abe in ubm_cmd (cmdproc=0xc86eb30, cmd=0xc832e00) at notification.c:494
#3  0x00000000005efef1 in msn_cmdproc_process_cmd (cmdproc=0xc86eb30, cmd=0xc832e00)
    at cmdproc.c:321
#4  0x00000000005eff97 in msn_cmdproc_process_cmd_text (cmdproc=0xc86eb30,
    command=0xcadb390 "UBM somebody1@yahoo.com 32 1 170") at cmdproc.c:343
#5  0x00000000005f9d8f in read_cb (data=0xc86ea90, source=9, cond=PURPLE_INPUT_READ)
    at servconn.c:439
#6  0x00000000004db70c in pidgin_io_invoke (source=0xc8369f0, condition=G_IO_IN, data=0xc836570)
    at gtkeventloop.cc:79

Here are some other values I've seen for command in frame 4:
UBM somebody1@yahoo.com 32 1 170
UBM somebody2@yahoo.com 32 2 91
UBM somebody3@yahoo.com 32 2 93

diff -r 8de8ca65e1d9 -r caf82c1cebf2 libpurple/protocols/msn/notification.c
--- a/libpurple/protocols/msn/notification.c	Tue Nov 18 03:02:03 2008 +0000
+++ b/libpurple/protocols/msn/notification.c	Tue Nov 18 07:16:49 2008 +0000
@@ -491,7 +491,7 @@
 	 * command and we are processing it */
 	if (cmd->payload == NULL) {
 		cmdproc->last_cmd->payload_cb = msg_cmd_post;
-		cmd->payload_len = atoi(cmd->params[4]);
+		cmd->payload_len = cmd->param_count >= 4 ? atoi(cmd->params[4]) : 0;
 	} else {
 		g_return_if_fail(cmd->payload_cb != NULL);