HGKeeper

fix a heap-use-after-free in jabber_push_bytes_cb
use-after-free
2019-12-19, Fabrice Bellet

da304c8c1cf9

fix a heap-use-after-free in jabber_push_bytes_cb

+12 -2

~~--- a/libpurple/protocols/jabber/jabber.c Sun Nov 10 16:29:55 2019 +0100~~

+++ b/libpurple/protocols/jabber/jabber.c Thu Dec 19 10:46:28 2019 +0100

@@ -1599,8 +1599,18 @@

jabber_bosh_connection_destroy(js->bosh);

js->bosh = NULL;

} else if (js->output != NULL) {

~~- jabber_send_raw(js, "</stream:stream>", -1);~~

-

+ /* We should emit the stream termination message here

+ * normally, but since we destroy the jabber stream just

+ * after, it has no way to effectively go out on the

+ * wire. Moreover, it causes a connection lost error in

+ * the output queued stream that triggers an

+ * heap-use-after-free error in jabber_push_bytes_cb().

+ *

+ * This case happens when disabling the jabber account

+ * from the dialog box.

+ *

+ * jabber_send_raw(js, "</stream:stream>", -1);

+ */

if(js->inpa) {

g_source_remove(js->inpa);

js->inpa = 0;