changeset 14092:58c9f678b77a

[gaim-migrate @ 16717] Fix a bug reported by Jon Oberheide. If there is an extra either 1 or 3 bytes on an incoming oscar message then our ICBM parser gets into an infinite loop. This could open be caused by a malicious server or a man-in-the-middle. committer: Tailor Script <tailor@pidgin.im>
author Mark Doliner <mark@kingant.net>
date Sat, 12 Aug 2006 10:59:13 +0000
parents ae4cbed1b309
children b9e9938b1afa
files src/protocols/oscar/family_icbm.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/protocols/oscar/family_icbm.c	Sat Aug 12 10:27:29 2006 +0000
+++ b/src/protocols/oscar/family_icbm.c	Sat Aug 12 10:59:13 2006 +0000
@@ -1588,7 +1588,7 @@
 	 * I've changed it to process the TLVs in-place.  This avoids lots
 	 * of per-IM memory allocations.
 	 */
-	while (byte_stream_empty(bs))
+	while (byte_stream_empty(bs) >= 4)
 	{
 		type = byte_stream_get16(bs);
 		length = byte_stream_get16(bs);