changeset 29074:89b4054deba1

Fix CVE-2010-0423, a denial of service attack due to the parsing of large numbers of smileys. (Discovered by Antti Hayrynen)
author Mark Doliner <mark@kingant.net>
date Tue, 16 Feb 2010 09:02:23 +0000
parents 40623dd0bba0
children 4e42f18df200
files ChangeLog pidgin/gtkimhtml.c
diffstat 2 files changed, 37 insertions(+), 19 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Tue Feb 16 08:58:45 2010 +0000
+++ b/ChangeLog	Tue Feb 16 09:02:23 2010 +0000
@@ -27,7 +27,7 @@
 
 	MSN:
 	* Fix CVE-2010-0277, a possible remote crash when parsing an incoming
-	  SLP message.  Discovered by Fabian Yamaguchi.
+	  SLP message.  (Discovered by Fabian Yamaguchi)
 	* File transfer requests will no longer cause a crash if you delete the
 	  file before the other side accepts.
 	* Received files will no longer hold an extra lock after completion,
@@ -74,6 +74,8 @@
 	  Mohta)
 
 	Pidgin:
+	* Fix CVE-2010-0423, a denial of service attack due to the parsing
+	  of large numbers of smileys.  (Discovered by Antti Hayrynen)
 	* Correctly size conversation and status box entries when the
 	  interior-focus style property is diabled. (Gabriel Schulhof)
 	* Correctly handle a multiline text field being required in a
--- a/pidgin/gtkimhtml.c	Tue Feb 16 08:58:45 2010 +0000
+++ b/pidgin/gtkimhtml.c	Tue Feb 16 09:02:23 2010 +0000
@@ -2222,21 +2222,6 @@
 	return smiley->icon;
 }
 
-static GdkPixbufAnimation *
-gtk_smiley_tree_image (GtkIMHtml     *imhtml,
-		       const gchar   *sml,
-		       const gchar   *text)
-{
-	GtkIMHtmlSmiley *smiley;
-
-	smiley = gtk_imhtml_smiley_get(imhtml,sml,text);
-
-	if (!smiley)
-		return NULL;
-
-	return gtk_smiley_get_image(smiley);
-}
-
 #define VALID_TAG(x)	do { \
 			if (!g_ascii_strncasecmp (string, x ">", strlen (x ">"))) {	\
 				if (tag) *tag = g_strndup (string, strlen (x));		\
@@ -2695,6 +2680,8 @@
 	ws = g_malloc(len + 1);
 	ws[0] = '\0';
 
+	g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(0));
+
 	gtk_text_buffer_begin_user_action(imhtml->text_buffer);
 	while (pos < len) {
 		if (*c == '<' && gtk_imhtml_is_tag (c + 1, &tag, &tlen, &type)) {
@@ -3547,6 +3534,8 @@
 	}
 	gtk_text_buffer_delete(imhtml->text_buffer, start, end);
 
+	g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(0));
+
 	g_object_unref(object);
 }
 
@@ -4983,12 +4972,33 @@
 	GdkPixbufAnimation *annipixbuf = NULL;
 	GtkWidget *icon = NULL;
 	GtkTextChildAnchor *anchor = NULL;
-	char *unescaped = purple_unescape_html(smiley);
-	GtkIMHtmlSmiley *imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped);
+	char *unescaped;
+	GtkIMHtmlSmiley *imhtml_smiley;
 	GtkWidget *ebox = NULL;
+	int numsmileys_thismsg, numsmileys_total;
+
+	/*
+	 * This GtkIMHtml has the maximum number of smileys allowed, so don't
+	 * add any more.  We do this for performance reasons, because smileys
+	 * are apparently pretty inefficient.  Hopefully we can remove this
+	 * restriction when we're using a better HTML widget.
+	 */
+	numsmileys_thismsg = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg"));
+	if (numsmileys_thismsg >= 30) {
+		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
+		return;
+	}
+	numsmileys_total = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total"));
+	if (numsmileys_total >= 300) {
+		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
+		return;
+	}
+
+	unescaped = purple_unescape_html(smiley);
+	imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped);
 
 	if (imhtml->format_functions & GTK_IMHTML_SMILEY) {
-		annipixbuf = gtk_smiley_tree_image(imhtml, sml, unescaped);
+		annipixbuf = imhtml_smiley ? gtk_smiley_get_image(imhtml_smiley) : NULL;
 		if (annipixbuf) {
 			if (gdk_pixbuf_animation_is_static_image(annipixbuf)) {
 				pixbuf = gdk_pixbuf_animation_get_static_image(annipixbuf);
@@ -5042,6 +5052,9 @@
 		if (ebox)
 			gtk_container_add(GTK_CONTAINER(ebox), icon);
 		gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox ? ebox : icon, anchor);
+
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1));
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1));
 	} else if (imhtml_smiley != NULL && (imhtml->format_functions & GTK_IMHTML_SMILEY)) {
 		anchor = gtk_text_buffer_create_child_anchor(imhtml->text_buffer, iter);
 		imhtml_smiley->anchors = g_slist_append(imhtml_smiley->anchors, g_object_ref(anchor));
@@ -5054,6 +5067,9 @@
 			g_object_set_data_full(G_OBJECT(anchor), "gtkimhtml_htmltext", g_strdup(smiley), g_free);
 			gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox, anchor);
 		}
+
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1));
+		g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1));
 	} else {
 		gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1);
 	}