--- a/ChangeLog Mon Feb 11 01:03:34 2013 -0800
+++ b/ChangeLog Mon Feb 11 01:09:30 2013 -0800
@@ -39,6 +39,9 @@
* Fix a bug where a remote MXit user could possibly specify a local
file path to be written to. (CVE-2013-0271)
+ * Fix a bug where the MXit server or a man-in-the-middle could + potentially send specially crafted data that could overflow a buffer + and lead to a crash or remote code execution. (CVE-2013-0272) * Display farewell messages in a different colour to distinguish
them from normal messages.
* Add support for typing notification.
--- a/libpurple/protocols/mxit/http.c Mon Feb 11 01:03:34 2013 -0800
+++ b/libpurple/protocols/mxit/http.c Mon Feb 11 01:09:30 2013 -0800
@@ -116,11 +116,12 @@
/* read bytes from the socket */
- len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
+ len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) ); /* connection has been terminated, or error occurred */
+ buf[buflen+len] = '\0'; @@ -181,7 +182,11 @@
- if ( buflen > ( ( body - buf ) + bodylen ) ) {
+ if ( buflen + bodylen >= CP_MAX_PACKET ) { + /* this packet is way to big */ + else if ( buflen > ( ( body - buf ) + bodylen ) ) { /* we have a second packet here */