changeset 10981:771c510655c7

[gaim-migrate @ 12812] Fix a leak and some other issues caused by malformed messages. committer: Tailor Script <tailor@pidgin.im>
author Daniel Atallah <daniel.atallah@gmail.com>
date Wed, 08 Jun 2005 21:41:23 +0000
parents 842a21e7480b
children dcc37a23f815
files src/protocols/msn/msg.c
diffstat 1 files changed, 26 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/src/protocols/msn/msg.c	Wed Jun 08 06:28:47 2005 +0000
+++ b/src/protocols/msn/msg.c	Wed Jun 08 21:41:23 2005 +0000
@@ -205,7 +205,10 @@
 	/* TODO? some clients use \r delimiters instead of \r\n, the official client
 	 * doesn't send such messages, but does handle receiving them. We'll just
 	 * avoid crashing for now */
-	g_return_if_fail(end != NULL);
+	if (end == NULL) {
+		g_free(tmp_base);
+		g_return_if_reached();
+	}
 	*end = '\0';
 
 	elems = g_strsplit(tmp, "\r\n", 0);
@@ -252,6 +255,7 @@
 
 	g_strfreev(elems);
 
+	/* Proceed to the end of the "\r\n\r\n" */
 	tmp = end + 4;
 
 	/* Now we *should* be at the body. */
@@ -262,6 +266,12 @@
 	{
 		MsnSlpHeader header;
 		MsnSlpFooter footer;
+		int body_len;
+
+		if (payload_len - (tmp - tmp_base) < sizeof(header)) {
+			g_free(tmp_base);
+			g_return_if_reached();
+		}
 
 		msg->msnslp_message = TRUE;
 
@@ -279,24 +289,28 @@
 		msg->msnslp_header.ack_sub_id = GUINT32_FROM_LE(header.ack_sub_id);
 		msg->msnslp_header.ack_size   = GUINT64_FROM_LE(header.ack_size);
 
-		/* Import the body. */
-		msg->body_len = payload_len - (tmp - tmp_base) - sizeof(footer);
+		body_len = payload_len - (tmp - tmp_base) - sizeof(footer);
 
-		if (msg->body_len > 0)
+		/* Import the body. */
+		if (body_len > 0) {
+			msg->body_len = body_len;
 			msg->body = g_memdup(tmp, msg->body_len);
-
-		tmp += msg->body_len;
+			tmp += body_len;
+		}
 
 		/* Import the footer. */
-		memcpy(&footer, tmp, sizeof(footer));
-		tmp += sizeof(footer);
-
-		msg->msnslp_footer.value = GUINT32_FROM_BE(footer.value);
+		if (body_len >= 0) {
+			memcpy(&footer, tmp, sizeof(footer));
+			tmp += sizeof(footer);
+			msg->msnslp_footer.value = GUINT32_FROM_BE(footer.value);
+		}
 	}
 	else
 	{
-		msg->body_len = payload_len - (tmp - tmp_base);
-		msg->body = g_memdup(tmp, msg->body_len);
+		if (payload_len - (tmp - tmp_base) > 0) {
+			msg->body_len = payload_len - (tmp - tmp_base);
+			msg->body = g_memdup(tmp, msg->body_len);
+		}
 	}
 
 	g_free(tmp_base);