pidgin/pidgin

Merged TALOS-CAN-0123
release-2.x.y
2016-06-12, Gary Kramlich
c5f640eaff47
Parents 1a892845935f270d6da5520e
Children ccde331355d8
Merged TALOS-CAN-0123
2 files changed, 14 insertions(+), 7 deletions(-)
  • +2 -0
    ChangeLog
  • +12 -7
    libpurple/protocols/mxit/markup.c
    • --- a/ChangeLog Sun Jun 12 22:06:26 2016 -0500
    +++ b/ChangeLog Sun Jun 12 22:08:41 2016 -0500
    @@ -24,6 +24,8 @@
    (TALOS-CAN-0118)
    * Fixed a remote buffer overflow vulnerability. Discovered by Yves
    Younan of Cisco Talos. (TALOS-CAN-0119)
    + * Fixed an out-of-bounds read discovered by Yves Younan of Cisco Talos.
    + (TALOS-CAN-0123)
    version 2.10.12 (12/31/15):
    General:
    --- a/libpurple/protocols/mxit/markup.c Sun Jun 12 22:06:26 2016 -0500
    +++ b/libpurple/protocols/mxit/markup.c Sun Jun 12 22:08:41 2016 -0500
    @@ -1083,7 +1083,6 @@
    GList* entry;
    GList* tagstack = NULL;
    char* reply;
    - char color[8];
    int len = strlen ( message );
    int i;
    @@ -1145,12 +1144,18 @@
    }
    else if ( purple_str_has_prefix( &message[i], "<font color=" ) ) {
    /* font colour */
    - tag = g_new0( struct tag, 1 );
    - tag->type = MXIT_TAG_COLOR;
    - tagstack = g_list_append( tagstack, tag );
    - memset( color, 0x00, sizeof( color ) );
    - memcpy( color, &message[i + 13], 7 );
    - g_string_append( mx, color );
    + char color[8];
    +
    + /* ensure we have the complete tag: <font color="#123456"> */
    + if ( i + 20 < len ) {
    + tag = g_new0( struct tag, 1 );
    + tag->type = MXIT_TAG_COLOR;
    + tagstack = g_list_append( tagstack, tag );
    +
    + memset( color, 0x00, sizeof( color ) );
    + memcpy( color, &message[i + 13], 7 );
    + g_string_append( mx, color );
    + }
    }
    else if ( purple_str_has_prefix( &message[i], "</font>" ) ) {
    /* end of font tag */