--- a/libpurple/protocols/oscar/family_auth.c	Thu May 03 08:36:47 2012 +0000
+++ b/libpurple/protocols/oscar/family_auth.c	Thu May 03 09:28:11 2012 +0000
@@ -27,6 +27,7 @@
  */
 
 #include "oscar.h"
+#include "oscarcommon.h"
 
 #include <ctype.h>
 
@@ -506,14 +507,29 @@
 static int
 keyparse(OscarData *od, FlapConnection *conn, aim_module_t *mod, FlapFrame *frame, aim_modsnac_t *snac, ByteStream *bs)
 {
-	int keylen, ret = 1;
-	aim_rxcallback_t userfunc;
+	int keylen;
 	char *keystr;
 	GSList *tlvlist;
 	gboolean truncate_pass;
+	PurpleConnection *gc;
+	PurpleAccount *account;
+	ClientInfo aiminfo = CLIENTINFO_PURPLE_AIM;
+	ClientInfo icqinfo = CLIENTINFO_PURPLE_ICQ;
+
+	gc = od->gc;
+	account = purple_connection_get_account(gc);
 
 	keylen = byte_stream_get16(bs);
 	keystr = byte_stream_getstr(bs, keylen);
+	if (!g_utf8_validate(keystr, -1, NULL)) {
+		purple_debug_warning("oscar", "Received SNAC %04hx/%04hx with "
+				"invalid UTF-8 keystr.\n", snac->family, snac->subtype);
+		purple_connection_error(gc, PURPLE_CONNECTION_ERROR_OTHER_ERROR,
+				_("Received unexpected response from server"));
+		g_free(keystr);
+		return 1;
+	}
+
 	tlvlist = aim_tlvlist_read(bs);
 
 	/*
@@ -527,13 +543,18 @@
 	 * for the netscape network.  This SNAC had a type 0x0058 TLV with length 10.
 	 * Data is 0x0007 0004 3e19 ae1e 0006 0004 0000 0005 */
 
-	if ((userfunc = aim_callhandler(od, snac->family, snac->subtype)))
-		ret = userfunc(od, conn, frame, keystr, (int)truncate_pass);
+	aim_send_login(od, conn, purple_account_get_username(account),
+			purple_connection_get_password(gc), truncate_pass,
+			od->icq ? &icqinfo : &aiminfo, keystr,
+			purple_account_get_bool(account, "allow_multiple_logins", OSCAR_DEFAULT_ALLOW_MULTIPLE_LOGINS));
+
+	purple_connection_update_progress(gc,
+			_("Password sent"), 2, OSCAR_CONNECT_STEPS);
 
 	g_free(keystr);
 	aim_tlvlist_free(tlvlist);
 
-	return ret;
+	return 1;
 }
 
 /**

--- a/libpurple/protocols/oscar/family_bart.c	Thu May 03 08:36:47 2012 +0000
+++ b/libpurple/protocols/oscar/family_bart.c	Thu May 03 09:28:11 2012 +0000
@@ -143,6 +143,12 @@
 	guint8 iconcsumtype, iconcsumlen, *iconcsum, *icon;
 
 	bn = byte_stream_getstr(bs, byte_stream_get8(bs));
+	if (!g_utf8_validate(bn, -1, NULL)) {
+		purple_debug_warning("oscar", "Received SNAC %04hx/%04hx with "
+				"invalid UTF-8 buddy name.\n", snac->family, snac->subtype);
+		g_free(bn);
+		return 1;
+	}
 	flags = byte_stream_get16(bs);
 	iconcsumtype = byte_stream_get8(bs);
 	iconcsumlen = byte_stream_get8(bs);

--- a/libpurple/protocols/oscar/family_icbm.c	Thu May 03 08:36:47 2012 +0000
+++ b/libpurple/protocols/oscar/family_icbm.c	Thu May 03 09:28:11 2012 +0000
@@ -2095,6 +2095,12 @@
 	channel = byte_stream_get16(bs);
 	bnlen = byte_stream_get8(bs);
 	bn = byte_stream_getstr(bs, bnlen);
+	if (!g_utf8_validate(bn, -1, NULL)) {
+		purple_debug_warning("oscar", "Received SNAC %04hx/%04hx with "
+				"invalid UTF-8 buddy name.\n", snac->family, snac->subtype);
+		g_free(bn);
+		return 1;
+	}
 	event = byte_stream_get16(bs);
 
 	if ((userfunc = aim_callhandler(od, snac->family, snac->subtype)))

--- a/libpurple/protocols/oscar/oscar.c	Thu May 03 08:36:47 2012 +0000
+++ b/libpurple/protocols/oscar/oscar.c	Thu May 03 09:28:11 2012 +0000
@@ -55,8 +55,6 @@
 
 #define AIMHASHDATA "http://pidgin.im/aim_data.php3"
 
-#define OSCAR_CONNECT_STEPS 6
-
 static guint64 purple_caps =
 	OSCAR_CAPABILITY_CHAT
 		| OSCAR_CAPABILITY_BUDDYICON
@@ -89,7 +87,6 @@
 
 /* Only used when connecting with the old-style BUCP login */
 static int purple_parse_auth_resp  (OscarData *, FlapConnection *, FlapFrame *, ...);
-static int purple_parse_login      (OscarData *, FlapConnection *, FlapFrame *, ...);
 static int purple_parse_auth_securid_request(OscarData *, FlapConnection *, FlapFrame *, ...);
 
 static int purple_handle_redirect  (OscarData *, FlapConnection *, FlapFrame *, ...);
@@ -673,7 +670,6 @@
 
 	/* These are only needed when connecting with the old-style BUCP login */
 	oscar_data_addhandler(od, SNAC_FAMILY_AUTH, 0x0003, purple_parse_auth_resp, 0);
-	oscar_data_addhandler(od, SNAC_FAMILY_AUTH, 0x0007, purple_parse_login, 0);
 	oscar_data_addhandler(od, SNAC_FAMILY_AUTH, SNAC_SUBTYPE_AUTH_SECURID_REQUEST, purple_parse_auth_securid_request, 0);
 
 	oscar_data_addhandler(od, SNAC_FAMILY_BART, SNAC_SUBTYPE_BART_RESPONSE, purple_icon_parseicon, 0);
@@ -1232,38 +1228,6 @@
 	return 1;
 }
 
-/**
- * Only used when connecting with the old-style BUCP login.
- */
-static int
-purple_parse_login(OscarData *od, FlapConnection *conn, FlapFrame *fr, ...)
-{
-	PurpleConnection *gc;
-	PurpleAccount *account;
-	ClientInfo aiminfo = CLIENTINFO_PURPLE_AIM;
-	ClientInfo icqinfo = CLIENTINFO_PURPLE_ICQ;
-	va_list ap;
-	char *key;
-	gboolean truncate_pass;
-
-	gc = od->gc;
-	account = purple_connection_get_account(gc);
-
-	va_start(ap, fr);
-	key = va_arg(ap, char *);
-	truncate_pass = va_arg(ap, int);
-	va_end(ap);
-
-	aim_send_login(od, conn, purple_account_get_username(account),
-			purple_connection_get_password(gc), truncate_pass,
-			od->icq ? &icqinfo : &aiminfo, key,
-			purple_account_get_bool(account, "allow_multiple_logins", OSCAR_DEFAULT_ALLOW_MULTIPLE_LOGINS));
-
-	purple_connection_update_progress(gc, _("Password sent"), 2, OSCAR_CONNECT_STEPS);
-
-	return 1;
-}
-
 static int
 purple_handle_redirect(OscarData *od, FlapConnection *conn, FlapFrame *fr, ...)
 {

--- a/libpurple/protocols/oscar/oscar.h	Thu May 03 08:36:47 2012 +0000
+++ b/libpurple/protocols/oscar/oscar.h	Thu May 03 09:28:11 2012 +0000
@@ -114,6 +114,8 @@
 
 #define AIM_MD5_STRING "AOL Instant Messenger (SM)"
 
+#define OSCAR_CONNECT_STEPS 6
+
 /*
  * Client info.  Filled in by the client and passed in to
  * aim_send_login().  The information ends up getting passed to OSCAR