changeset 31341:d88f3153170b

Fix CVE-2011-1091, improper handling of malformed YMSG packets cause NULL pointer dereferences, leading to denial of service.
author John Bailey <rekkanoryo@rekkanoryo.org>
date Fri, 11 Mar 2011 02:00:15 +0000
parents 9d32376fb157
children f9cd24db04dd
files libpurple/protocols/yahoo/libymsg.c
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/libpurple/protocols/yahoo/libymsg.c	Fri Mar 11 01:56:51 2011 +0000
+++ b/libpurple/protocols/yahoo/libymsg.c	Fri Mar 11 02:00:15 2011 +0000
@@ -842,7 +842,7 @@
 				break;
 		}
 
-		if (*stat == '1')
+		if (stat && *stat == '1')
 			serv_got_typing(gc, fed_from, 0, PURPLE_TYPING);
 		else
 			serv_got_typing_stopped(gc, fed_from);
@@ -864,7 +864,7 @@
 
 		yahoo_friend_set_game(f, NULL);
 
-		if (*stat == '1') {
+		if (stat && *stat == '1') {
 			yahoo_friend_set_game(f, game);
 			if (bud)
 				yahoo_update_status(gc, from, f);
@@ -922,6 +922,11 @@
 		l = l->next;
 	}
 
+	if(!sms) {
+		purple_debug_info("yahoo", "Received a malformed SMS packet!\n");
+		return;
+	}
+
 	if( (pkt->status == -1) || (pkt->status == YAHOO_STATUS_DISCONNECTED) ) {
 		if (server_msg) {
 			PurpleConversation *c;