pidgin/pidgin

Fix an assert in purple_markup_html_to_xhtml
release-2.x.y
2021-09-15, Elliott Sales de Andrade
cb21c7484e4c
Parents addb2327cde0
Children 4b6b116a586d
Fix an assert in purple_markup_html_to_xhtml

While `g_string_free` is NULL-safe, the assert for passing it in breaks
ossfuzz. This can happen if there is no `src=` in the `img` as expected.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35029

Testing Done:
Ran the test case from the bug against `fuzz_html_to_xhtml`

Reviewed at https://reviews.imfreedom.org/r/921/
1 files changed, 6 insertions(+), 3 deletions(-)
  • +6 -3
    libpurple/util.c
    • --- a/libpurple/util.c Wed Sep 15 13:11:17 2021 -0500
    +++ b/libpurple/util.c Wed Sep 15 13:23:50 2021 -0500
    @@ -1652,8 +1652,12 @@
    else
    c = p;
    /* src and alt are required! */
    - if(src && xhtml)
    - g_string_append_printf(xhtml, "<img src='%s' alt='%s' />", g_strstrip(src->str), alt ? alt->str : "");
    + if (src) {
    + if (xhtml) {
    + g_string_append_printf(xhtml, "<img src='%s' alt='%s' />", g_strstrip(src->str), alt ? alt->str : "");
    + }
    + g_string_free(src, TRUE);
    + }
    if(alt) {
    if(plain)
    plain = g_string_append(plain, alt->str);
    @@ -1661,7 +1665,6 @@
    xhtml = g_string_append(xhtml, alt->str);
    g_string_free(alt, TRUE);
    }
    - g_string_free(src, TRUE);
    continue;
    }
    if (!g_ascii_strncasecmp(c, "<a", 2) && (*(c+2) == '>' || *(c+2) == ' ')) {