Attachment 855935 Details for Bug 1057498 – Local copy of patch

[patch] Local copy of patch

CVE-2013-6490.diff (text/plain), 1.42 KB, created by Huzaifa S. Sidhpurwala on 2014-01-27 06:30:40 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Huzaifa S. Sidhpurwala

Created: 2014-01-27 06:30:40 UTC

Size: 1.42 KB

patch

obsolete

>changeset:   35180:6bd2dd10e5da
>branch:      release-2.x.y
>parent:      35175:89678e04a7ac
>user:        Tomasz Wasilczyk <twasilczyk@pidgin.im>
>date:        Fri Jan 10 17:12:31 2014 +0100
>summary:     Simple: fix a possible NULL-pointer dereference and add some input filtering. Fixes VRT-2013-1004
>
>diff -r 89678e04a7ac -r 6bd2dd10e5da libpurple/protocols/simple/simple.c
>--- a/libpurple/protocols/simple/simple.c	Thu Jan 09 21:17:31 2014 -0800
>+++ b/libpurple/protocols/simple/simple.c	Fri Jan 10 17:12:31 2014 +0100
>@@ -1640,7 +1640,7 @@ static void process_input(struct simple_
> 		cur += 2;
> 		restlen = conn->inbufused - (cur - conn->inbuf);
> 		if(restlen >= msg->bodylen) {
>-			dummy = g_malloc(msg->bodylen + 1);
>+			dummy = g_new(char, msg->bodylen + 1);
> 			memcpy(dummy, cur, msg->bodylen);
> 			dummy[msg->bodylen] = '\0';
> 			msg->body = dummy;
>diff -r 89678e04a7ac -r 6bd2dd10e5da libpurple/protocols/simple/sipmsg.c
>--- a/libpurple/protocols/simple/sipmsg.c	Thu Jan 09 21:17:31 2014 -0800
>+++ b/libpurple/protocols/simple/sipmsg.c	Fri Jan 10 17:12:31 2014 +0100
>@@ -114,6 +114,11 @@ struct sipmsg *sipmsg_parse_header(const
> 	tmp2 = sipmsg_find_header(msg, "Content-Length");
> 	if (tmp2 != NULL)
> 		msg->bodylen = strtol(tmp2, NULL, 10);
>+	if (msg->bodylen < 0) {
>+		purple_debug_warning("simple", "Invalid body length: %d",
>+			msg->bodylen);
>+		msg->bodylen = 0;
>+	}
> 
> 	if(msg->response) {
> 		tmp2 = sipmsg_find_header(msg, "CSeq");
>

Actions: View | Diff

Attachments on bug 1057498: 855935