Mercurial > pidgin

changeset 30403:a4d7d154d00d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
*** Plucked rev 7e159eaa14b0041fcc3ee5783cd1e4f2d039a1a1 (markdoliner@pidgin.im): Fix a crash bug in oscar related to trying to allocate too much memory. This was reported to our security mailing list by Jan Kaluza The Great. I honestly couldn't figure out how to repro this crash, so I've been considering it as not a remote-crash security problem, so I chose to skip the CVE process for this. *** Plucked rev 5f40454216dc36a3276e369a5b9483d6bddc13f2 (markdoliner@pidgin.im): Make these unsigned, in case someone figures out how to actually send one of these and somehow manages to use a negative number. Pointed out by Yuriy M. Kaminskiy. Thanks, Yuriy!
author Mark Doliner <mark@kingant.net>
date Tue, 10 Aug 2010 17:53:07 +0000
parents d48ae82c58ac
children 8e9b04071e79
files libpurple/protocols/oscar/oscar.c
diffstat 1 files changed, 13 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/libpurple/protocols/oscar/oscar.c	Tue Aug 10 17:09:32 2010 +0000
+++ b/libpurple/protocols/oscar/oscar.c	Tue Aug 10 17:53:07 2010 +0000
@@ -1985,7 +1985,8 @@
 
 		case 0x1a: { /* Handle SMS or someone has sent you a greeting card or requested buddies? */
 			ByteStream qbs;
-			int smstype, taglen, smslen;
+			guint16 smstype;
+			guint32 taglen, smslen;
 			char *tagstr = NULL, *smsmsg = NULL;
 			xmlnode *xmlroot = NULL, *xmltmp = NULL;
 			gchar *uin = NULL, *message = NULL;
@@ -1999,12 +2000,23 @@
 			if (smstype != 0)
 				break;
 			taglen = byte_stream_getle32(&qbs);
+			if (taglen > 2000) {
+				/* Avoid trying to allocate large amounts of memory, in
+				   case we get something unexpected. */
+				break;
+			}
 			tagstr = byte_stream_getstr(&qbs, taglen);
 			if (tagstr == NULL)
 				break;
 			byte_stream_advance(&qbs, 3);
 			byte_stream_advance(&qbs, 4);
 			smslen = byte_stream_getle32(&qbs);
+			if (smslen > 2000) {
+				/* Avoid trying to allocate large amounts of memory, in
+				   case we get something unexpected. */
+				g_free(tagstr);
+				break;
+			}
 			smsmsg = byte_stream_getstr(&qbs, smslen);
 
 			/* Check if this is an SMS being sent from server */