--- a/ChangeLog Wed Nov 30 01:04:16 2011 +0000
+++ b/ChangeLog Tue Dec 06 06:40:23 2011 +0000
@@ -4,6 +4,10 @@
* Fix compilation on OpenBSD.
+ * Fix remotely-triggerable crashes by validating strings in a few + messages related to buddy list management. (#14682) * IPv6 fixes (Linus Lüssing)
--- a/libpurple/protocols/oscar/family_feedbag.c Wed Nov 30 01:04:16 2011 +0000
+++ b/libpurple/protocols/oscar/family_feedbag.c Tue Dec 06 06:40:23 2011 +0000
@@ -1650,18 +1650,35 @@
aim_rxcallback_t userfunc;
+ char *bn, *msg, *tmpstr; - if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
+ tmp = byte_stream_get8(bs); + purple_debug_warning("oscar", "Dropping auth grant SNAC " + "because username was empty\n"); + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping auth grant SNAC " + "because the username was not valid UTF-8\n"); - /* Read message (null terminated) */
- if ((tmp = byte_stream_get16(bs)))
+ tmp = byte_stream_get16(bs); msg = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(msg, -1, NULL)) { + /* Ugh, msg isn't UTF8. Let's salvage. */ + purple_debug_warning("oscar", "Got non-UTF8 message in auth " + "grant from %s\n", bn); + tmpstr = purple_utf8_salvage(msg); @@ -1724,18 +1741,35 @@
aim_rxcallback_t userfunc;
+ char *bn, *msg, *tmpstr; - if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
+ tmp = byte_stream_get8(bs); + purple_debug_warning("oscar", "Dropping auth request SNAC " + "because username was empty\n"); + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping auth request SNAC " + "because the username was not valid UTF-8\n"); - /* Read message (null terminated) */
- if ((tmp = byte_stream_get16(bs)))
+ tmp = byte_stream_get16(bs); msg = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(msg, -1, NULL)) { + /* Ugh, msg isn't UTF8. Let's salvage. */ + purple_debug_warning("oscar", "Got non-UTF8 message in auth " + "request from %s\n", bn); + tmpstr = purple_utf8_salvage(msg); @@ -1808,21 +1842,38 @@
aim_rxcallback_t userfunc;
+ char *bn, *msg, *tmpstr; - if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
+ tmp = byte_stream_get8(bs); + purple_debug_warning("oscar", "Dropping auth reply SNAC " + "because username was empty\n"); + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping auth reply SNAC " + "because the username was not valid UTF-8\n"); reply = byte_stream_get8(bs);
- /* Read message (null terminated) */
- if ((tmp = byte_stream_get16(bs)))
+ tmp = byte_stream_get16(bs); msg = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(msg, -1, NULL)) { + /* Ugh, msg isn't UTF8. Let's salvage. */ + purple_debug_warning("oscar", "Got non-UTF8 message in auth " + "reply from %s\n", bn); + tmpstr = purple_utf8_salvage(msg); @@ -1848,10 +1899,18 @@
- if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
+ tmp = byte_stream_get8(bs); + purple_debug_warning("oscar", "Dropping 'you were added' SNAC " + "because username was empty\n"); + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping 'you were added' SNAC " + "because the username was not valid UTF-8\n"); if ((userfunc = aim_callhandler(od, snac->family, snac->subtype)))
ret = userfunc(od, conn, frame, bn);