rpms / pidgin

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c7-sig-altarch-fasttrack c8 c8-beta c8s
  1.   c7-ppc64le
  2.   SOURCES
  3.   pidgin-2.10.7-CVE-2013-6485.patch
Blob Blame History Raw 
diff -up pidgin-2.10.7/libpurple/util.c.CVE-2013-6485 pidgin-2.10.7/libpurple/util.c
--- pidgin-2.10.7/libpurple/util.c.CVE-2013-6485	2014-01-28 19:09:20.896950189 -0500
+++ pidgin-2.10.7/libpurple/util.c	2014-01-29 16:48:35.033699646 -0500
@@ -37,6 +37,8 @@
    specified a length) */
 #define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
 
+#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
+
 struct _PurpleUtilFetchUrlData
 {
 	PurpleUtilFetchUrlCallback callback;
@@ -3780,11 +3782,12 @@ process_chunked_data(char *data, gsize *
 			break;
 		s += 2;
 
-		if (s + sz > data + *len) {
+		if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
 			purple_debug_error("util", "Error processing chunked data: "
 					"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
 					"than the data remaining in the buffer (%"
 					G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
+			break;
 		}
 
 		/* Move all data overtop of the chunk length that we read in earlier */
@@ -3792,7 +3795,7 @@ process_chunked_data(char *data, gsize *
 		p += sz;
 		s += sz;
 		newlen += sz;
-		if (*s != '\r' && *(s + 1) != '\n') {
+		if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
 			purple_debug_error("util", "Error processing chunked data: "
 					"Expected \\r\\n, found: %s\n", s);
 			break;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation