From: <the...@us...> - 2006-08-12 11:00:42
|
Revision: 16718 Author: thekingant Date: 2006-08-12 04:00:39 -0700 (Sat, 12 Aug 2006) ViewCVS: http://svn.sourceforge.net/gaim/?rev=16718&view=rev Log Message: ----------- Backport SVN revision #16717 from HEAD to v2_0_0 Original commit message: Fix a bug reported by Jon Oberheide. If there is an extra either 1 or 3 bytes on an incoming oscar message then our ICBM parser gets into an infinite loop. This could open be caused by a malicious server or a man-in-the-middle. ViewCVS Links: ------------- http://svn.sourceforge.net/gaim/?rev=16717&view=rev Modified Paths: -------------- branches/v2_0_0/src/protocols/oscar/family_icbm.c Modified: branches/v2_0_0/src/protocols/oscar/family_icbm.c =================================================================== --- branches/v2_0_0/src/protocols/oscar/family_icbm.c 2006-08-12 10:59:13 UTC (rev 16717) +++ branches/v2_0_0/src/protocols/oscar/family_icbm.c 2006-08-12 11:00:39 UTC (rev 16718) @@ -1588,7 +1588,7 @@ * I've changed it to process the TLVs in-place. This avoids lots * of per-IM memory allocations. */ - while (byte_stream_empty(bs)) + while (byte_stream_empty(bs) >= 4) { type = byte_stream_get16(bs); length = byte_stream_get16(bs); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |