pidgin/pidgin

Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004
release-2.x.y
2014-01-10, Tomasz Wasilczyk
6bd2dd10e5da
Parents 89678e04a7ac
Children dfe26ea283ee
Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004
2 files changed, 6 insertions(+), 1 deletions(-)
  • +1 -1
    libpurple/protocols/simple/simple.c
  • +5 -0
    libpurple/protocols/simple/sipmsg.c
    • --- a/libpurple/protocols/simple/simple.c Thu Jan 09 21:17:31 2014 -0800
    +++ b/libpurple/protocols/simple/simple.c Fri Jan 10 17:12:31 2014 +0100
    @@ -1640,7 +1640,7 @@
    cur += 2;
    restlen = conn->inbufused - (cur - conn->inbuf);
    if(restlen >= msg->bodylen) {
    - dummy = g_malloc(msg->bodylen + 1);
    + dummy = g_new(char, msg->bodylen + 1);
    memcpy(dummy, cur, msg->bodylen);
    dummy[msg->bodylen] = '\0';
    msg->body = dummy;
    --- a/libpurple/protocols/simple/sipmsg.c Thu Jan 09 21:17:31 2014 -0800
    +++ b/libpurple/protocols/simple/sipmsg.c Fri Jan 10 17:12:31 2014 +0100
    @@ -114,6 +114,11 @@
    tmp2 = sipmsg_find_header(msg, "Content-Length");
    if (tmp2 != NULL)
    msg->bodylen = strtol(tmp2, NULL, 10);
    + if (msg->bodylen < 0) {
    + purple_debug_warning("simple", "Invalid body length: %d",
    + msg->bodylen);
    + msg->bodylen = 0;
    + }
    if(msg->response) {
    tmp2 = sipmsg_find_header(msg, "CSeq");