|
|
56fe68 |
diff -up pidgin-2.10.7/libpurple/util.c.CVE-2013-6485 pidgin-2.10.7/libpurple/util.c
|
|
|
56fe68 |
--- pidgin-2.10.7/libpurple/util.c.CVE-2013-6485 2014-01-28 19:09:20.896950189 -0500
|
|
|
56fe68 |
+++ pidgin-2.10.7/libpurple/util.c 2014-01-29 16:48:35.033699646 -0500
|
|
|
56fe68 |
@@ -37,6 +37,8 @@
|
|
|
56fe68 |
specified a length) */
|
|
|
56fe68 |
#define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
|
|
|
56fe68 |
|
|
|
56fe68 |
+#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
|
|
|
56fe68 |
+
|
|
|
56fe68 |
struct _PurpleUtilFetchUrlData
|
|
|
56fe68 |
{
|
|
|
56fe68 |
PurpleUtilFetchUrlCallback callback;
|
|
|
56fe68 |
@@ -3780,11 +3782,12 @@ process_chunked_data(char *data, gsize *
|
|
|
56fe68 |
break;
|
|
|
56fe68 |
s += 2;
|
|
|
56fe68 |
|
|
|
56fe68 |
- if (s + sz > data + *len) {
|
|
|
56fe68 |
+ if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
|
|
|
56fe68 |
purple_debug_error("util", "Error processing chunked data: "
|
|
|
56fe68 |
"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
|
|
|
56fe68 |
"than the data remaining in the buffer (%"
|
|
|
56fe68 |
G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
|
|
|
56fe68 |
+ break;
|
|
|
56fe68 |
}
|
|
|
56fe68 |
|
|
|
56fe68 |
/* Move all data overtop of the chunk length that we read in earlier */
|
|
|
56fe68 |
@@ -3792,7 +3795,7 @@ process_chunked_data(char *data, gsize *
|
|
|
56fe68 |
p += sz;
|
|
|
56fe68 |
s += sz;
|
|
|
56fe68 |
newlen += sz;
|
|
|
56fe68 |
- if (*s != '\r' && *(s + 1) != '\n') {
|
|
|
56fe68 |
+ if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
|
|
|
56fe68 |
purple_debug_error("util", "Error processing chunked data: "
|
|
|
56fe68 |
"Expected \\r\\n, found: %s\n", s);
|
|
|
56fe68 |
break;
|