Blob Blame History Raw
diff -up pidgin-2.10.7/libpurple/util.c.CVE-2013-6479 pidgin-2.10.7/libpurple/util.c
--- pidgin-2.10.7/libpurple/util.c.CVE-2013-6479	2013-02-11 04:16:53.000000000 -0500
+++ pidgin-2.10.7/libpurple/util.c	2014-01-28 19:09:20.896950189 -0500
@@ -33,6 +33,10 @@
 #include "prefs.h"
 #include "util.h"
 
+/* 512KiB Default value for maximum HTTP download size (when the client hasn't
+   specified a length) */
+#define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
+
 struct _PurpleUtilFetchUrlData
 {
 	PurpleUtilFetchUrlCallback callback;
@@ -68,7 +72,7 @@ struct _PurpleUtilFetchUrlData
 	char *webdata;
 	gsize len;
 	unsigned long data_len;
-	gssize max_len;
+	gsize max_len;
 	gboolean chunked;
 	PurpleAccount *account;
 };
@@ -3239,24 +3243,26 @@ purple_strcasereplace(const char *string
 	return ret;
 }
 
-const char *
-purple_strcasestr(const char *haystack, const char *needle)
+/** TODO: Expose this when we can add API */
+static const char *
+purple_strcasestr_len(const char *haystack, gssize hlen, const char *needle, gssize nlen)
 {
-	size_t hlen, nlen;
 	const char *tmp, *ret;
 
 	g_return_val_if_fail(haystack != NULL, NULL);
 	g_return_val_if_fail(needle != NULL, NULL);
 
-	hlen = strlen(haystack);
-	nlen = strlen(needle);
+	if (hlen == -1)
+		hlen = strlen(haystack);
+	if (nlen == -1)
+		nlen = strlen(needle);
 	tmp = haystack,
 	ret = NULL;
 
 	g_return_val_if_fail(hlen > 0, NULL);
 	g_return_val_if_fail(nlen > 0, NULL);
 
-	while (*tmp && !ret) {
+	while (*tmp && !ret && (hlen - (tmp - haystack)) >= nlen) {
 		if (!g_ascii_strncasecmp(needle, tmp, nlen))
 			ret = tmp;
 		else
@@ -3266,6 +3272,12 @@ purple_strcasestr(const char *haystack,
 	return ret;
 }
 
+const char *
+purple_strcasestr(const char *haystack, const char *needle)
+{
+	return purple_strcasestr_len(haystack, -1, needle, -1);
+}
+
 char *
 purple_str_size_to_units(size_t size)
 {
@@ -3575,7 +3587,7 @@ static void ssl_url_fetch_connect_cb(gpo
 static void ssl_url_fetch_error_cb(PurpleSslConnection *ssl_connection, PurpleSslErrorType error, gpointer data);
 
 static gboolean
-parse_redirect(const char *data, size_t data_len,
+parse_redirect(const char *data, gsize data_len,
 			   PurpleUtilFetchUrlData *gfud)
 {
 	gchar *s;
@@ -3680,20 +3692,21 @@ parse_redirect(const char *data, size_t
 	return TRUE;
 }
 
+/* find the starting point of the content for the specified header and make
+ * sure that the content is safe to pass to sscanf */
 static const char *
-find_header_content(const char *data, size_t data_len, const char *header, size_t header_len)
+find_header_content(const char *data, gsize data_len, const char *header)
 {
 	const char *p = NULL;
 
-	if (header_len <= 0)
-		header_len = strlen(header);
+	gsize header_len = strlen(header);
 
-	/* Note: data is _not_ nul-terminated.  */
 	if (data_len > header_len) {
+		/* Check if the first header matches (data won't start with a \n") */
 		if (header[0] == '\n')
 			p = (g_ascii_strncasecmp(data, header + 1, header_len - 1) == 0) ? data : NULL;
 		if (!p)
-			p = purple_strcasestr(data, header);
+			p = purple_strcasestr_len(data, data_len, header, header_len);
 		if (p)
 			p += header_len;
 	}
@@ -3709,13 +3722,13 @@ find_header_content(const char *data, si
 	return NULL;
 }
 
-static size_t
-parse_content_len(const char *data, size_t data_len)
+static gsize 
+parse_content_len(const char *data, gsize data_len)
 {
-	size_t content_len = 0;
+	gsize content_len = 0;
 	const char *p = NULL;
 
-	p = find_header_content(data, data_len, "\nContent-Length: ", sizeof("\nContent-Length: ") - 1);
+	p = find_header_content(data, data_len, "\nContent-Length: ");
 	if (p) {
 		sscanf(p, "%" G_GSIZE_FORMAT, &content_len);
 		purple_debug_misc("util", "parsed %" G_GSIZE_FORMAT "\n", content_len);
@@ -3725,9 +3738,9 @@ parse_content_len(const char *data, size
 }
 
 static gboolean
-content_is_chunked(const char *data, size_t data_len)
+content_is_chunked(const char *data, gsize data_len)
 {
-	const char *p = find_header_content(data, data_len, "\nTransfer-Encoding: ", sizeof("\nTransfer-Encoding: ") - 1);
+	const char *p = find_header_content(data, data_len, "\nTransfer-Encoding: ");
 	if (p && g_ascii_strncasecmp(p, "chunked", 7) == 0)
 		return TRUE;
 
@@ -3810,7 +3823,7 @@ url_fetch_recv_cb(gpointer url_data, gin
 	while ((gfud->is_ssl && ((len = purple_ssl_read(gfud->ssl_connection, buf, sizeof(buf))) > 0)) ||
 			(!gfud->is_ssl && (len = read(source, buf, sizeof(buf))) > 0))
 	{
-		if(gfud->max_len != -1 && (gfud->len + len) > gfud->max_len) {
+		if((gfud->len + len) > gfud->max_len) {
 			purple_util_fetch_url_error(gfud, _("Error reading from %s: response too long (%d bytes limit)"),
 						    gfud->website.address, gfud->max_len);
 			return;
@@ -3838,9 +3851,8 @@ url_fetch_recv_cb(gpointer url_data, gin
 			/* See if we've reached the end of the headers yet */
 			end_of_headers = strstr(gfud->webdata, "\r\n\r\n");
 			if (end_of_headers) {
-				char *new_data;
 				guint header_len = (end_of_headers + 4 - gfud->webdata);
-				size_t content_len;
+				gsize content_len;
 
 				purple_debug_misc("util", "Response headers: '%.*s'\n",
 					header_len, gfud->webdata);
@@ -3860,15 +3872,36 @@ url_fetch_recv_cb(gpointer url_data, gin
 					content_len = 8192;
 				} else {
 					gfud->has_explicit_data_len = TRUE;
+					if (content_len > gfud->max_len) {
+						purple_debug_error("util",
+								"Overriding explicit Content-Length of %" G_GSIZE_FORMAT " with max of %" G_GSSIZE_FORMAT "\n",
+								content_len, gfud->max_len);
+						content_len = gfud->max_len;
+					}
 				}
 
 
 				/* If we're returning the headers too, we don't need to clean them out */
 				if (gfud->include_headers) {
+					char *new_data;
 					gfud->data_len = content_len + header_len;
-					gfud->webdata = g_realloc(gfud->webdata, gfud->data_len);
+					new_data = g_try_realloc(gfud->webdata, gfud->data_len);
+					if (new_data == NULL) {
+						purple_debug_error("util",
+								"Failed to allocate %" G_GSIZE_FORMAT " bytes: %s\n",
+								content_len, g_strerror(errno));
+						purple_util_fetch_url_error(gfud,
+								_("Unable to allocate enough memory to hold "
+								  "the contents from %s.  The web server may "
+								  "be trying something malicious."),
+								gfud->website.address);
+
+						return;
+					}
+					gfud->webdata = new_data;
 				} else {
-					size_t body_len = gfud->len - header_len;
+					char *new_data;
+					gsize body_len = gfud->len - header_len;
 
 					content_len = MAX(content_len, body_len);
 
@@ -4154,7 +4187,11 @@ purple_util_fetch_url_request_len_with_a
 	gfud->request = g_strdup(request);
 	gfud->include_headers = include_headers;
 	gfud->fd = -1;
-	gfud->max_len = max_len;
+	if (max_len <= 0) {
+		max_len = DEFAULT_MAX_HTTP_DOWNLOAD;
+		purple_debug_error("util", "Defaulting max download from %s to %" G_GSSIZE_FORMAT "\n", url, max_len);
+	}
+	gfud->max_len = (gsize) max_len;
 	gfud->account = account;
 
 	purple_url_parse(url, &gfud->website.address, &gfud->website.port,