Attachment 855927 Details for Bug 1057484 – Local copy of patch

[patch] Local copy of patch

CVE-2013-6485.diff (text/plain), 1.41 KB, created by Huzaifa S. Sidhpurwala on 2014-01-27 06:17:18 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Huzaifa S. Sidhpurwala

Created: 2014-01-27 06:17:18 UTC

Size: 1.41 KB

patch

obsolete

>changeset:   33869:c9e5aba2dafd
>branch:      release-2.x.y
>user:        Tomasz Wasilczyk <tomkiewicz@cpw.pidgin.im>
>date:        Tue Aug 20 17:36:14 2013 +0200
>summary:     Correct HTTP chunked transfers code (not fixed in rev ebe3fb4a3bc2)
>
>diff -r e111ec8dcb3f -r c9e5aba2dafd libpurple/util.c
>--- a/libpurple/util.c	Fri Jul 05 12:14:21 2013 +0200
>+++ b/libpurple/util.c	Tue Aug 20 17:36:14 2013 +0200
>@@ -37,6 +37,8 @@
>    specified a length) */
> #define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
> 
>+#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
>+
> struct _PurpleUtilFetchUrlData
> {
> 	PurpleUtilFetchUrlCallback callback;
>@@ -3781,11 +3783,12 @@ process_chunked_data(char *data, gsize *
> 			break;
> 		s += 2;
> 
>-		if (s + sz > data + *len) {
>+		if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
> 			purple_debug_error("util", "Error processing chunked data: "
> 					"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
> 					"than the data remaining in the buffer (%"
> 					G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
>+			break;
> 		}
> 
> 		/* Move all data overtop of the chunk length that we read in earlier */
>@@ -3793,7 +3796,7 @@ process_chunked_data(char *data, gsize *
> 		p += sz;
> 		s += sz;
> 		newlen += sz;
>-		if (*s != '\r' && *(s + 1) != '\n') {
>+		if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
> 			purple_debug_error("util", "Error processing chunked data: "
> 					"Expected \\r\\n, found: %s\n", s);
> 			break;
>

Actions: View | Diff

Attachments on bug 1057484: 855927