diff -up pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c --- pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 +++ pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c 2014-01-27 10:20:14.473648650 -0500 @@ -21,6 +21,12 @@ * */ +/* + * Note: When handling the list of struct yahoo_pair's from an incoming + * packet the value might not be UTF-8. You should either validate that + * it is UTF-8 using g_utf8_validate() or use yahoo_string_decode(). + */ + #include "internal.h" #include "account.h" @@ -592,14 +598,24 @@ static void yahoo_process_list_15(Purple yd->current_list15_grp = yahoo_string_decode(gc, pair->value, FALSE); break; case 7: /* buddy's s/n */ - g_free(temp); - temp = g_strdup(purple_normalize(account, pair->value)); + if (g_utf8_validate(pair->value, -1, NULL)) { + g_free(temp); + temp = g_strdup(purple_normalize(account, pair->value)); + } else { + purple_debug_warning("yahoo", "yahoo_process_list_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 241: /* user on federated network */ fed = strtol(pair->value, NULL, 10); break; case 59: /* somebody told cookies come here too, but im not sure */ - yahoo_process_cookie(yd, pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + yahoo_process_cookie(yd, pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_process_list_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 317: /* Stealth Setting */ stealth = strtol(pair->value, NULL, 10); @@ -662,22 +678,42 @@ static void yahoo_process_list(PurpleCon g_string_append(yd->tmp_serv_blist, pair->value); break; case 88: - if (!yd->tmp_serv_ilist) - yd->tmp_serv_ilist = g_string_new(pair->value); - else - g_string_append(yd->tmp_serv_ilist, pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + if (!yd->tmp_serv_ilist) + yd->tmp_serv_ilist = g_string_new(pair->value); + else + g_string_append(yd->tmp_serv_ilist, pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_process_list " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 89: - yd->profiles = g_strsplit(pair->value, ",", -1); + if (g_utf8_validate(pair->value, -1, NULL)) { + yd->profiles = g_strsplit(pair->value, ",", -1); + } else { + purple_debug_warning("yahoo", "yahoo_process_list " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 59: /* cookies, yum */ - yahoo_process_cookie(yd, pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + yahoo_process_cookie(yd, pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_process_list " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case YAHOO_SERVICE_PRESENCE_PERM: - if (!yd->tmp_serv_plist) - yd->tmp_serv_plist = g_string_new(pair->value); - else - g_string_append(yd->tmp_serv_plist, pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + if (!yd->tmp_serv_plist) + yd->tmp_serv_plist = g_string_new(pair->value); + else + g_string_append(yd->tmp_serv_plist, pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_process_list " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } @@ -700,6 +736,12 @@ static void yahoo_process_list(PurpleCon grp = yahoo_string_decode(gc, split[0], FALSE); buddies = g_strsplit(split[1], ",", -1); for (bud = buddies; bud && *bud; bud++) { + if (!g_utf8_validate(*bud, -1, NULL)) { + purple_debug_warning("yahoo", "yahoo_process_list " + "got non-UTF-8 string for bud\n"); + continue; + } + norm_bud = g_strdup(purple_normalize(account, *bud)); f = yahoo_friend_find_or_new(gc, norm_bud); @@ -794,14 +836,26 @@ static void yahoo_process_notify(PurpleC while (l) { struct yahoo_pair *pair = l->data; - if (pair->key == 4 || pair->key == 1) - from = pair->value; + if (pair->key == 4 || pair->key == 1) { + if (g_utf8_validate(pair->value, -1, NULL)) { + from = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_notify " + "got non-UTF-8 string for key %d\n", pair->key); + } + } if (pair->key == 49) msg = pair->value; if (pair->key == 13) stat = pair->value; - if (pair->key == 14) - game = pair->value; + if (pair->key == 14) { + if (g_utf8_validate(pair->value, -1, NULL)) { + game = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_notify " + "got non-UTF-8 string for key %d\n", pair->key); + } + } if (pair->key == 11) val_11 = strtol(pair->value, NULL, 10); if (pair->key == 241) @@ -905,10 +959,15 @@ static void yahoo_process_sms_message(Pu while (l != NULL) { struct yahoo_pair *pair = l->data; if (pair->key == 4) { - sms = g_new0(struct _yahoo_im, 1); - sms->from = g_strdup_printf("+%s", pair->value); - sms->time = time(NULL); - sms->utf8 = TRUE; + if (g_utf8_validate(pair->value, -1, NULL)) { + sms = g_new0(struct _yahoo_im, 1); + sms->from = g_strdup_printf("+%s", pair->value); + sms->time = time(NULL); + sms->utf8 = TRUE; + } else { + purple_debug_warning("yahoo", "yahoo_process_sms_message " + "got non-UTF-8 string for key %d\n", pair->key); + } } if (pair->key == 14) { if (sms) @@ -917,8 +976,14 @@ static void yahoo_process_sms_message(Pu if (pair->key == 68) if(sms) g_hash_table_insert(yd->sms_carrier, g_strdup(sms->from), g_strdup(pair->value)); - if (pair->key == 16) - server_msg = pair->value; + if (pair->key == 16) { + if (g_utf8_validate(pair->value, -1, NULL)) { + server_msg = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_sms_message " + "got non-UTF-8 string for key %d\n", pair->key); + } + } l = l->next; } @@ -972,13 +1037,18 @@ static void yahoo_process_message(Purple while (l != NULL) { struct yahoo_pair *pair = l->data; if (pair->key == 4 || pair->key == 1) { - im = g_new0(struct _yahoo_im, 1); - list = g_slist_append(list, im); - im->from = pair->value; - im->time = time(NULL); - im->utf8 = TRUE; - im->fed = YAHOO_FEDERATION_NONE; - im->fed_from = g_strdup(im->from); + if (g_utf8_validate(pair->value, -1, NULL)) { + im = g_new0(struct _yahoo_im, 1); + list = g_slist_append(list, im); + im->from = pair->value; + im->time = time(NULL); + im->utf8 = TRUE; + im->fed = YAHOO_FEDERATION_NONE; + im->fed_from = g_strdup(im->from); + } else { + purple_debug_warning("yahoo", "yahoo_process_message " + "got non-UTF-8 string for key %d\n", pair->key); + } } if (im && pair->key == 5) im->active_id = pair->value; @@ -1034,7 +1104,7 @@ static void yahoo_process_message(Purple } } /* IMV key */ - if (im && pair->key == 63) + if (im && pair->key == 63 && g_utf8_validate(pair->value, -1, NULL)) { /* Check for the Doodle IMV, no IMvironment for federated buddies */ if (im->from != NULL && im->fed == YAHOO_FEDERATION_NONE) @@ -1173,10 +1243,22 @@ static void yahoo_process_sysmessage(Pur while (l) { struct yahoo_pair *pair = l->data; - if (pair->key == 5) - me = pair->value; - if (pair->key == 14) - msg = pair->value; + if (pair->key == 5) { + if (g_utf8_validate(pair->value, -1, NULL)) { + me = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_sysmessage " + "got non-UTF-8 string for key %d\n", pair->key); + } + } + if (pair->key == 14) { + if (g_utf8_validate(pair->value, -1, NULL)) { + msg = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_sysmessage " + "got non-UTF-8 string for key %d\n", pair->key); + } + } l = l->next; } @@ -1334,7 +1416,12 @@ static void yahoo_buddy_auth_req_15(Purp switch (pair->key) { case 4: - temp = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + temp = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 13: response = strtol(pair->value, NULL, 10); @@ -1389,22 +1476,42 @@ static void yahoo_buddy_auth_req_15(Purp switch (pair->key) { case 4: - temp = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + temp = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: - add_req->id = g_strdup(pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + add_req->id = g_strdup(pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 14: msg = pair->value; break; case 216: - firstname = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + firstname = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 241: add_req->fed = strtol(pair->value, NULL, 10); break; case 254: - lastname = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + lastname = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } @@ -1485,10 +1592,20 @@ static void yahoo_buddy_added_us(PurpleC switch (pair->key) { case 1: - add_req->id = g_strdup(pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + add_req->id = g_strdup(pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_buddy_added_us " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 3: - add_req->who = g_strdup(pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + add_req->who = g_strdup(pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_buddy_added_us " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 15: /* time, for when they add us and we're offline */ break; @@ -1540,10 +1657,20 @@ static void yahoo_buddy_denied_our_add_o switch (pair->key) { case 3: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_buddy_denied_our_add_old " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 14: - msg = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + msg = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_buddy_denied_our_add_old " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } l = l->next; @@ -1640,12 +1767,28 @@ static void yahoo_process_mail(PurpleCon struct yahoo_pair *pair = l->data; if (pair->key == 9) count = strtol(pair->value, NULL, 10); - else if (pair->key == 43) - who = pair->value; - else if (pair->key == 42) - email = pair->value; - else if (pair->key == 18) - subj = pair->value; + else if (pair->key == 43) { + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_mail " + "got non-UTF-8 string for key %d\n", pair->key); + } + } else if (pair->key == 42) { + if (g_utf8_validate(pair->value, -1, NULL)) { + email = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_mail " + "got non-UTF-8 string for key %d\n", pair->key); + } + } else if (pair->key == 18) { + if (g_utf8_validate(pair->value, -1, NULL)) { + subj = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_mail " + "got non-UTF-8 string for key %d\n", pair->key); + } + } l = l->next; } @@ -2075,10 +2218,22 @@ static void yahoo_process_auth(PurpleCon while (l) { struct yahoo_pair *pair = l->data; - if (pair->key == 94) - seed = pair->value; - if (pair->key == 1) - sn = pair->value; + if (pair->key == 94) { + if (g_utf8_validate(pair->value, -1, NULL)) { + seed = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_auth " + "got non-UTF-8 string for key %d\n", pair->key); + } + } + if (pair->key == 1) { + if (g_utf8_validate(pair->value, -1, NULL)) { + sn = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_auth " + "got non-UTF-8 string for key %d\n", pair->key); + } + } if (pair->key == 13) m = atoi(pair->value); l = l->next; @@ -2150,10 +2305,20 @@ static void yahoo_process_ignore(PurpleC struct yahoo_pair *pair = l->data; switch (pair->key) { case 0: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_ignore " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 1: - me = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + me = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_ignore " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 13: /* 1 == ignore, 2 == unignore */ @@ -2222,8 +2387,14 @@ static void yahoo_process_authresp(Purpl if (pair->key == 66) err = strtol(pair->value, NULL, 10); - else if (pair->key == 20) - url = pair->value; + else if (pair->key == 20) { + if (g_utf8_validate(pair->value, -1, NULL)) { + url = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_authresp " + "got non-UTF-8 string for key %d\n", pair->key); + } + } l = l->next; } @@ -2311,7 +2482,12 @@ static void yahoo_process_addbuddy(Purpl err = strtol(pair->value, NULL, 10); break; case 7: - temp = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + temp = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_addbuddy " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 65: group = pair->value; @@ -2468,11 +2644,16 @@ static void yahoo_p2p_process_p2pfilexfe switch (pair->key) { case 4: - who = pair->value; - if(strncmp(who, p2p_data->host_username, strlen(p2p_data->host_username)) != 0) { - /* from whom are we receiving the packets ?? */ - purple_debug_warning("yahoo","p2p: received data from wrong user\n"); - return; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + if(strncmp(who, p2p_data->host_username, strlen(p2p_data->host_username)) != 0) { + /* from whom are we receiving the packets ?? */ + purple_debug_warning("yahoo","p2p: received data from wrong user\n"); + return; + } + } else { + purple_debug_warning("yahoo", "yahoo_p2p_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); } break; case 13: @@ -2841,15 +3022,25 @@ static void yahoo_process_p2p(PurpleConn /* our identity */ break; case 4: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2p " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 1: /* who again, the master identity this time? */ break; case 12: - base64 = pair->value; - /* so, this is an ip address. in base64. decoded it's in ascii. - after strtol, it's in reversed byte order. Who thought this up?*/ + if (g_utf8_validate(pair->value, -1, NULL)) { + base64 = pair->value; + /* so, this is an ip address. in base64. decoded it's in ascii. + after strtol, it's in reversed byte order. Who thought this up?*/ + } else { + purple_debug_warning("yahoo", "yahoo_process_p2p " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 13: val_13 = strtol(pair->value, NULL, 10); @@ -2938,7 +3129,12 @@ static void yahoo_process_audible(Purple switch (pair->key) { case 4: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_audible " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: /* us */ @@ -2946,11 +3142,21 @@ static void yahoo_process_audible(Purple case 230: /* the audible, in foo.locale.bar.baz format eg: base.tw.smiley.smiley43 */ - id = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + id = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_audible " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 231: /* the text of the audible */ - msg = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + msg = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_audible " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 232: /* SHA-1 hash of audible SWF file (eg: 4e8691499d9c0fb8374478ff9720f4a9ea4a4915) */ diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c --- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 +++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c 2014-01-27 10:20:14.473648650 -0500 @@ -696,8 +696,14 @@ void yahoo_process_contact_details(Purpl struct yahoo_pair *pair = l->data; switch (pair->key) { case 4: - who = pair->value; /* This is the person who sent us the details. - But not necessarily about himself. */ + if (g_utf8_validate(pair->value, -1, NULL)) { + /* This is the person who sent us the details. + But not necessarily about himself. */ + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_contact_details " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: break; @@ -709,8 +715,13 @@ void yahoo_process_contact_details(Purpl and look into the xml instead to see who the information is about. */ break; case 280: - xml = pair->value; - parse_contact_details(yd, who, xml); + if (g_utf8_validate(pair->value, -1, NULL)) { + xml = pair->value; + parse_contact_details(yd, who, xml); + } else { + purple_debug_warning("yahoo", "yahoo_process_contact_details " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c --- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 +++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c 2014-01-27 10:20:14.474648740 -0500 @@ -749,25 +749,60 @@ void yahoo_process_p2pfilexfer(PurpleCon switch(pair->key) { case 5: /* Get who the packet is for */ - me = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + me = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 4: /* Get who the packet is from */ - from = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + from = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 49: /* Get the type of service */ - service = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + service = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 14: /* Get the 'message' of the packet */ - message = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + message = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 13: /* Get the command associated with this packet */ - command = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + command = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 63: /* IMVironment name and version */ - imv = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + imv = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 64: /* Not sure, but it does vary with initialization of Doodle */ - unknown = pair->value; /* So, I'll keep it (for a little while atleast) */ + if (g_utf8_validate(pair->value, -1, NULL)) { + unknown = pair->value; /* So, I'll keep it (for a little while atleast) */ + } else { + purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } @@ -813,16 +848,36 @@ void yahoo_process_filetransfer(PurpleCo switch (pair->key) { case 4: - from = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + from = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetransfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: - to = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + to = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetransfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 14: - msg = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + msg = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetransfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 20: - url = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + url = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetransfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 38: expires = strtol(pair->value, NULL, 10); @@ -834,10 +889,20 @@ void yahoo_process_filetransfer(PurpleCo filesize = atol(pair->value); break; case 49: - service = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + service = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetransfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 63: - imv = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + imv = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetransfer " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } @@ -1616,20 +1681,40 @@ void yahoo_process_filetrans_15(PurpleCo switch (pair->key) { case 4: - from = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + from = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: - to = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + to = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 265: - xfer_peer_idstring = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + xfer_peer_idstring = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 27: filename_list = g_slist_prepend(filename_list, g_strdup(pair->value)); nooffiles++; break; case 28: - size_list = g_slist_prepend(size_list, g_strdup(pair->value)); + if (g_utf8_validate(pair->value, -1, NULL)) { + size_list = g_slist_prepend(size_list, g_strdup(pair->value)); + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 222: val_222 = atol(pair->value); @@ -1638,10 +1723,20 @@ void yahoo_process_filetrans_15(PurpleCo /* check for p2p and imviron .... not sure it comes by this service packet. Since it was bundled with filexfer in old ymsg version, still keeping it. */ case 49: - service = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + service = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 63: - imv = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + imv = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; /* end check */ @@ -1803,7 +1898,12 @@ void yahoo_process_filetrans_info_15(Pur to = pair->value; break; case 265: - xfer_peer_idstring = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + xfer_peer_idstring = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_info_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 27: filename = pair->value; @@ -1816,10 +1916,20 @@ void yahoo_process_filetrans_info_15(Pur /* 249 has value 1 or 2 when doing p2p transfer and value 3 when relaying through yahoo server */ break; case 250: - url = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + url = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_info_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 251: - xfer_idstring_for_relay = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + xfer_idstring_for_relay = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_info_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } @@ -1902,10 +2012,20 @@ void yahoo_process_filetrans_acc_15(Purp switch (pair->key) { case 251: - xfer_idstring_for_relay = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + xfer_idstring_for_relay = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_acc_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 265: - xfer_peer_idstring = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + xfer_peer_idstring = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_acc_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 66: val_66 = atol(pair->value); @@ -1914,7 +2034,13 @@ void yahoo_process_filetrans_acc_15(Purp val_249 = atol(pair->value); break; case 250: - url = pair->value; /* we get a p2p url here when sending file, connected as client */ + if (g_utf8_validate(pair->value, -1, NULL)) { + /* we get a p2p url here when sending file, connected as client */ + url = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_filetrans_acc_15 " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c --- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 +++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c 2014-01-27 10:20:14.474648740 -0500 @@ -158,7 +158,12 @@ void yahoo_process_presence(PurpleConnec switch (pair->key) { case 7: - temp = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + temp = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_presence " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 31: value = strtol(pair->value, NULL, 10); diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c --- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 +++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c 2014-01-27 10:20:14.475648826 -0500 @@ -84,10 +84,20 @@ void yahoo_process_picture(PurpleConnect switch (pair->key) { case 1: case 4: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_picture " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: - us = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + us = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_picture " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 13: { int tmp; @@ -100,7 +110,12 @@ void yahoo_process_picture(PurpleConnect break; } case 20: - url = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + url = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_picture " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 192: checksum = strtol(pair->value, NULL, 10); @@ -154,7 +169,12 @@ void yahoo_process_picture_checksum(Purp switch (pair->key) { case 4: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_picture_checksum " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: /* us */ @@ -197,7 +217,12 @@ void yahoo_process_picture_upload(Purple /* filename on our computer. */ break; case 20: /* url at yahoo */ - url = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + url = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_picture_upload " + "got non-UTF-8 string for key %d\n", pair->key); + } case 38: /* timestamp */ break; } @@ -225,7 +250,12 @@ void yahoo_process_avatar_update(PurpleC switch (pair->key) { case 4: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_avatar_upload " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 5: /* us */ diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c --- pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 +++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c 2014-01-27 10:20:14.475648826 -0500 @@ -156,15 +156,25 @@ void yahoo_process_conference_invite(Pur room = yahoo_string_decode(gc, pair->value, FALSE); break; case 50: /* inviter */ - who = pair->value; - g_string_append_printf(members, "%s\n", who); + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + g_string_append_printf(members, "%s\n", who); + } else { + purple_debug_warning("yahoo", "yahoo_process_conference_invite " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 51: /* This user is being invited to the conference. Comes with status = 11, so we wont reach here */ break; case 52: /* Invited users. Assuming us invited, since we got this packet */ break; /* break needed, or else we add the users to the conference before they accept the invitation */ case 53: /* members who have already joined the conference */ - g_string_append_printf(members, "%s\n", pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + g_string_append_printf(members, "%s\n", pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_process_conference_invite " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 58: g_free(msg); @@ -220,7 +230,12 @@ void yahoo_process_conference_decline(Pu room = yahoo_string_decode(gc, pair->value, FALSE); break; case 54: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_conference_decline " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 14: g_free(msg); @@ -277,7 +292,12 @@ void yahoo_process_conference_logon(Purp room = yahoo_string_decode(gc, pair->value, FALSE); break; case 53: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_conference_logon " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } @@ -309,7 +329,12 @@ void yahoo_process_conference_logoff(Pur room = yahoo_string_decode(gc, pair->value, FALSE); break; case 56: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_conference_logoff " + "got non-UTF-8 string for key %d\n", pair->key); + } break; } } @@ -340,7 +365,12 @@ void yahoo_process_conference_message(Pu room = yahoo_string_decode(gc, pair->value, FALSE); break; case 3: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_conference_message " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 14: msg = pair->value; @@ -506,18 +536,38 @@ void yahoo_process_chat_join(PurpleConne topic = yahoo_string_decode(gc, pair->value, TRUE); break; case 128: - someid = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + someid = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_join " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 108: /* number of joiners */ break; case 129: - someotherid = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + someotherid = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_join " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 130: - somebase64orhashosomething = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + somebase64orhashosomething = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_join " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 126: - somenegativenumber = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + somenegativenumber = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_join " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 13: /* this is 1. maybe its the type of room? (normal, user created, private, etc?) */ break; @@ -528,7 +578,12 @@ void yahoo_process_chat_join(PurpleConne info about individual room members, (including us) */ case 109: /* the yahoo id */ - members = g_list_append(members, pair->value); + if (g_utf8_validate(pair->value, -1, NULL)) { + members = g_list_append(members, pair->value); + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_join " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 110: /* age */ break; @@ -625,8 +680,14 @@ void yahoo_process_chat_exit(PurpleConne g_free(room); room = yahoo_string_decode(gc, pair->value, TRUE); } - if (pair->key == 109) - who = pair->value; + if (pair->key == 109) { + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_exit " + "got non-UTF-8 string for key %d\n", pair->key); + } + } } if (who && room) { @@ -658,10 +719,20 @@ void yahoo_process_chat_message(PurpleCo room = yahoo_string_decode(gc, pair->value, TRUE); break; case 109: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_message " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 117: - msg = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + msg = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_message " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 124: msgtype = strtol(pair->value, NULL, 10); @@ -724,7 +795,12 @@ void yahoo_process_chat_addinvite(Purple msg = yahoo_string_decode(gc, pair->value, FALSE); break; case 119: - who = pair->value; + if (g_utf8_validate(pair->value, -1, NULL)) { + who = pair->value; + } else { + purple_debug_warning("yahoo", "yahoo_process_chat_addinvite " + "got non-UTF-8 string for key %d\n", pair->key); + } break; case 118: /* us */ break;