changeset 24475:caf82c1cebf2

I've seen this crash a few times where cmd->param_count is 4 and we try to access params[4] which is invalid. The backtrace is: #0 0x0000003c4c4341ca in ____strtoll_l_internal () from /lib64/libc.so.6 #1 0x0000003c4c431ab2 in atoi () from /lib64/libc.so.6 #2 0x00000000005f0abe in ubm_cmd (cmdproc=0xc86eb30, cmd=0xc832e00) at notification.c:494 #3 0x00000000005efef1 in msn_cmdproc_process_cmd (cmdproc=0xc86eb30, cmd=0xc832e00) at cmdproc.c:321 #4 0x00000000005eff97 in msn_cmdproc_process_cmd_text (cmdproc=0xc86eb30, command=0xcadb390 "UBM somebody1@yahoo.com 32 1 170") at cmdproc.c:343 #5 0x00000000005f9d8f in read_cb (data=0xc86ea90, source=9, cond=PURPLE_INPUT_READ) at servconn.c:439 #6 0x00000000004db70c in pidgin_io_invoke (source=0xc8369f0, condition=G_IO_IN, data=0xc836570) at gtkeventloop.cc:79 Here are some other values I've seen for command in frame 4: UBM somebody1@yahoo.com 32 1 170 UBM somebody2@yahoo.com 32 2 91 UBM somebody3@yahoo.com 32 2 93
author Mark Doliner <mark@kingant.net>
date Tue, 18 Nov 2008 07:16:49 +0000
parents 8de8ca65e1d9
children 3d6fe79753c3 7c09f32d01cb
files libpurple/protocols/msn/notification.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/libpurple/protocols/msn/notification.c	Tue Nov 18 03:02:03 2008 +0000
+++ b/libpurple/protocols/msn/notification.c	Tue Nov 18 07:16:49 2008 +0000
@@ -491,7 +491,7 @@
 	 * command and we are processing it */
 	if (cmd->payload == NULL) {
 		cmdproc->last_cmd->payload_cb = msg_cmd_post;
-		cmd->payload_len = atoi(cmd->params[4]);
+		cmd->payload_len = cmd->param_count >= 4 ? atoi(cmd->params[4]) : 0;
 	} else {
 		g_return_if_fail(cmd->payload_cb != NULL);