Mercurial > pidgin

diff src/protocols/oscar/im.c @ 10595:de34037a02c7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
[gaim-migrate @ 12010] Forward port some other stuff from oldstatus committer: Tailor Script <tailor@pidgin.im>
author Mark Doliner <mark@kingant.net>
date Mon, 14 Feb 2005 03:07:06 +0000
parents 0810288958ad
children f7431a6ff0cb
line wrap: on
line diff
--- a/src/protocols/oscar/im.c	Mon Feb 14 03:02:36 2005 +0000
+++ b/src/protocols/oscar/im.c	Mon Feb 14 03:07:06 2005 +0000
@@ -248,7 +248,7 @@
 		return -EINVAL;
 
 	if (args->flags & AIM_IMFLAGS_MULTIPART) {
-		if (args->mpmsg->numparts <= 0)
+		if (args->mpmsg->numparts == 0)
 			return -EINVAL;
 	} else {
 		if (!args->msg || (args->msglen <= 0))
@@ -1332,6 +1332,11 @@
 
 		/* Message string length, including character set info. */
 		msglen = aimbs_get16(&mbs);
+		if (msglen > aim_bstream_empty(&mbs))
+		{
+			faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s.  They are probably trying to do something malicious.");
+			break;
+		}
 
 		/* Character set info */
 		flag1 = aimbs_get16(&mbs);
@@ -1411,7 +1416,7 @@
 	aim_rxcallback_t userfunc;
 	int ret = 0;
 	struct aim_incomingim_ch1_args args;
-	int endpos;
+	unsigned int endpos;
 
 	memset(&args, 0, sizeof(args));
 
@@ -1422,11 +1427,17 @@
 	 * I've changed it to process the TLVs in-place.  This avoids lots
 	 * of per-IM memory allocations.
 	 */
-	while (aim_bstream_empty(bs)) {
-
+	while (aim_bstream_empty(bs))
+	{
 		type = aimbs_get16(bs);
 		length = aimbs_get16(bs);
 
+		if (length > aim_bstream_empty(bs))
+		{
+			faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s.  They are probably trying to do something malicious.\n", userinfo->sn);
+			break;
+		}
+
 		endpos = aim_bstream_curpos(bs) + length;
 
 		if (type == 0x0002) { /* Message Block */
@@ -1444,10 +1455,20 @@
 			aimbs_get8(bs); /* 01 */
 
 			args.featureslen = aimbs_get16(bs);
-			/* XXX XXX this is all evil! */
-			args.features = bs->data + bs->offset;
-			aim_bstream_advance(bs, args.featureslen);
-			args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES;
+			if (args.featureslen > aim_bstream_empty(bs))
+			{
+				faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s.  They are probably trying to do something malicious.\n", userinfo->sn);
+				break;
+			}
+			if (args.featureslen == 0)
+			{
+				args.features = NULL;
+			}
+			else
+			{
+				args.features = aimbs_getraw(bs, args.featureslen);
+				args.icbmflags |= AIM_IMFLAGS_CUSTOMFEATURES;
+			}
 
 			/*
 			 * The rest of the TLV contains one or more message
@@ -1498,8 +1519,17 @@
 
 		} else if (type == 0x0017) {
 
+			free(args.extdata);
 			args.extdatalen = length;
-			args.extdata = aimbs_getraw(bs, args.extdatalen);
+			if (args.extdatalen > aim_bstream_empty(bs))
+			{
+				faimdprintf(sess, 0, "Received an IM containing an invalid message part from %s.  They are probably trying to do something malicious.\n", userinfo->sn);
+				break;
+			}
+			if (args.extdatalen == 0)
+				args.extdata = NULL;
+			else
+				args.extdata = aimbs_getraw(bs, args.extdatalen);
 
 		} else {
 			faimdprintf(sess, 0, "incomingim_ch1: unknown TLV 0x%04x (len %d)\n", type, length);
@@ -1521,6 +1551,7 @@
 		ret = userfunc(sess, rx, channel, userinfo, &args);
 
 	aim_mpmsg_free(sess, &args.mpmsg);
+	free(args.features);
 	free(args.extdata);
 
 	return ret;