pidgin/pidgin

facebook-json: fixed a size overflow with string duplication

2015-12-21, James Geboski
df4d0ab7eaae
Parents 56c7dbe97266
Children 1a155271da6c
facebook-json: fixed a size overflow with string duplication

Unlike json_parser_load_from_data(), g_strndup() will not handle signed
sizes that are negative. This causes the size to overflow to a really
large value, and in turn lead to a segmentation fault.

The solution is simple: calculate the size of the data when the given
size is negative.

This bug was introduced by 7f8a2f301a82.
1 files changed, 6 insertions(+), 1 deletions(-)
  • +6 -1
    libpurple/protocols/facebook/json.c
    • --- a/libpurple/protocols/facebook/json.c Mon Dec 21 16:31:26 2015 -0500
    +++ b/libpurple/protocols/facebook/json.c Mon Dec 21 16:35:01 2015 -0500
    @@ -262,9 +262,14 @@
    JsonNode *root;
    JsonParser *prsr;
    + g_return_val_if_fail(data != NULL, NULL);
    +
    + if (size < 0) {
    + size = strlen(data);
    + }
    +
    /* Ensure data is null terminated for json-glib < 1.0.2 */
    slice = g_strndup(data, size);
    -
    prsr = json_parser_new();
    if (!json_parser_load_from_data(prsr, slice, size, error)) {