pidgin/android/libpurple

jabber: avoid possible heap overflow when a very small file has been chosen for
release-2.x.y
2013-02-18, Daniel Atallah
49eb0136f2ec
Parents 910bab8c9dac
Children 624cf59658dc
jabber: avoid possible heap overflow when a very small file has been chosen for
your own avatar

* Thanks goes to Jacob Appelbaum for noticing this
* The way this works is certainly not ideal, but libpurple doesn't depend on
any image libraries.
1 files changed, 6 insertions(+), 2 deletions(-)
  • +6 -2
    libpurple/protocols/jabber/useravatar.c
    • --- a/libpurple/protocols/jabber/useravatar.c Mon Feb 18 22:10:12 2013 -0500
    +++ b/libpurple/protocols/jabber/useravatar.c Mon Feb 18 22:46:53 2013 -0500
    @@ -113,6 +113,7 @@
    * and width.
    */
    /* A PNG header, including the IHDR, but nothing else */
    + /* ATTN: this is in network byte order! */
    const struct {
    guchar signature[8]; /* must be hex 89 50 4E 47 0D 0A 1A 0A */
    struct {
    @@ -126,10 +127,13 @@
    guchar filter;
    guchar interlace;
    } ihdr;
    - } *png = purple_imgstore_get_data(img); /* ATTN: this is in network byte order! */
    + } *png = NULL;
    +
    + if (purple_imgstore_get_size(img) > sizeof(*png))
    + png = purple_imgstore_get_data(img);
    /* check if the data is a valid png file (well, at least to some extent) */
    - if(png->signature[0] == 0x89 &&
    + if(png && png->signature[0] == 0x89 &&
    png->signature[1] == 0x50 &&
    png->signature[2] == 0x4e &&
    png->signature[3] == 0x47 &&