File pidgin-CVE-2013-0272.patch of Package pidgin

# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1360573770 28800
# Node ID 879db2a9a59c5f0bd1007fd89271092932315a65
# Parent  a8aef1d340f2b2430321533cef87f5289968fa91
Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution.

This is CVE-2013-0272.

The problem was detected by Coverity static analysis, and Daniel Atallah
brought it to everyone's attention and got us to fix it.

diff --git a/libpurple/protocols/mxit/http.c b/libpurple/protocols/mxit/http.c
--- a/libpurple/protocols/mxit/http.c
+++ b/libpurple/protocols/mxit/http.c
@@ -116,11 +116,12 @@
 		buflen = session->rx_i;
 
 		/* read bytes from the socket */
-		len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
+		len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
 		if ( len <= 0 ) {
 			/* connection has been terminated, or error occurred */
 			goto done;
 		}
+		buf[buflen+len] = '\0';
 
 //nextpacket:
 
@@ -181,7 +182,11 @@
 		g_free( tmp );
 		tmp = NULL;
 
-		if ( buflen > ( ( body - buf ) + bodylen ) ) {
+		if ( buflen + bodylen >= CP_MAX_PACKET ) {
+			/* this packet is way to big */
+			goto done;
+		}
+		else if ( buflen > ( ( body - buf ) + bodylen ) ) {
 			/* we have a second packet here */
 			next = body + bodylen;
 			session->rx_res = 0;

openSUSE Build Service is sponsored by