# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1093119102 0
# Node ID fe268cb602cb05e16db1810092d5f60e087ab7a5
# Parent  4d9d4940454b467a420147a87fbbe62cf0ac461d
[gaim-migrate @ 10672]
Fix 2 insanely rare but maybe-still-possible buffer overflows.

committer: Tailor Script <tailor@pidgin.im>

diff -r 4d9d4940454b -r fe268cb602cb src/protocols/novell/nmrtf.c
--- a/src/protocols/novell/nmrtf.c	Sat Aug 21 17:46:14 2004 +0000
+++ b/src/protocols/novell/nmrtf.c	Sat Aug 21 20:11:42 2004 +0000
@@ -506,9 +506,9 @@
     gboolean param_set = FALSE;
     gboolean is_neg = FALSE;
     int param = 0;
-    char *pch;
     char keyword[30];
     char parameter[20];
+	int i;
 
     keyword[0] = '\0';
     parameter[0] = '\0';
@@ -523,11 +523,11 @@
     }
 
 	/* parse keyword */
-    for (pch = keyword; isalpha(ch); rtf_get_char(ctx, &ch)) {
-        *pch = (char) ch;
-		pch++;
+	for (i = 0; isalpha(ch) && (i < sizeof(keyword) - 1); rtf_get_char(ctx, &ch)) {
+		keyword[i] = (char) ch;
+		i++;
 	}
-    *pch = '\0';
+	keyword[i] = '\0';
 
 	/* check for '-' indicated a negative parameter value  */
     if (ch == '-') {
@@ -540,11 +540,11 @@
     if (isdigit(ch)) {
 
         param_set = TRUE;
-        for (pch = parameter; isdigit(ch); rtf_get_char(ctx, &ch)) {
-            *pch = (char) ch;
-			pch++;
+		for (i = 0; isdigit(ch) && (i < sizeof(parameter) - 1); rtf_get_char(ctx, &ch)) {
+			parameter[i] = (char) ch;
+			i++;
 		}
-        *pch = '\0';
+		parameter[i] = '\0';
 
         ctx->param = param = atoi(parameter);
         if (is_neg)
diff -r 4d9d4940454b -r fe268cb602cb src/util.c
--- a/src/util.c	Sat Aug 21 17:46:14 2004 +0000
+++ b/src/util.c	Sat Aug 21 20:11:42 2004 +0000
@@ -2616,7 +2616,7 @@
 	 * if we make sure that there is indeed a \n in our header.
 	 */
 	if (p && g_strstr_len(p, data_len - (p - data), "\n")) {
-		sscanf(p, "Content-Length: %d", (int *)&content_len);
+		sscanf(p, "Content-Length: %ud", &content_len);
 		gaim_debug_misc("parse_content_len", "parsed %d\n", content_len);
 	}
 
@@ -2828,11 +2828,18 @@
 	static char buf[BUF_LEN];
 	guint i, j = 0;
 	char *bum;
+	char hex[3];
 
 	g_return_val_if_fail(str != NULL, NULL);
 
+	/*
+	 * XXX - This check could be removed and buf could be made
+	 * dynamically allocated, but this is easier.
+	 */
+	if (strlen(str) >= BUF_LEN)
+		return NULL;
+
 	for (i = 0; i < strlen(str); i++) {
-		char hex[3];
 
 		if (str[i] != '%')
 			buf[j++] = str[i];