Attachment 855933 Details for Bug 1057490 – Local copy of patch

[patch] Local copy of patch

CVE-2013-6489.diff (text/plain), 1.22 KB, created by Huzaifa S. Sidhpurwala on 2014-01-27 06:28:08 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Huzaifa S. Sidhpurwala

Created: 2014-01-27 06:28:08 UTC

Size: 1.22 KB

patch

obsolete

>changeset:   33897:4c897372b5a4
>branch:      release-2.x.y
>user:        Tomasz Wasilczyk <twasilczyk@pidgin.im>
>date:        Thu Jan 09 21:45:33 2014 +0100
>summary:     Mxit: fix a possible segfault, refs VRT-2013-1002
>
>diff -r ec15aa187aa0 -r 4c897372b5a4 libpurple/protocols/mxit/markup.c
>--- a/libpurple/protocols/mxit/markup.c	Mon Nov 25 17:03:17 2013 +0100
>+++ b/libpurple/protocols/mxit/markup.c	Thu Jan 09 21:45:33 2014 +0100
>@@ -203,7 +203,8 @@ static unsigned int asn_getlength( const
>  */
> static int asn_getUtf8( const gchar* data, gchar type, char** utf8 )
> {
>-	int		len;
>+	unsigned int len;
>+	gchar *out_str;
> 
> 	/* validate the field type [1 byte] */
> 	if ( data[0] != type ) {
>@@ -212,10 +213,17 @@ static int asn_getUtf8( const gchar* dat
> 		return -1;
> 	}
> 
>-	len = data[1];						/* length field [1 bytes] */
>-	*utf8 = g_malloc( len + 1 );
>-	memcpy( *utf8, &data[2], len );		/* data field */
>-	(*utf8)[len] = '\0';
>+	len = (uint8_t)data[1]; /* length field [1 byte] */
>+	out_str = g_malloc(len + 1);
>+	if (out_str == NULL) {
>+		purple_debug_fatal(MXIT_PLUGIN_ID, "asn_getUtf8: out of memory");
>+		return -1;
>+	}
>+
>+	memcpy(out_str, &data[2], len); /* data field */
>+	out_str[len] = '\0';
>+
>+	*utf8 = out_str;
> 
> 	return ( len + 2 );
> }
>

Actions: View | Diff

Attachments on bug 1057490: 855933