Package: pidgin / 2.7.3-1+squeeze4

CVE-2013-6485.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
Index: pidgin-2.7.3/libpurple/util.c
===================================================================
--- pidgin-2.7.3.orig/libpurple/util.c	2010-08-10 09:35:49.000000000 +0200
+++ pidgin-2.7.3/libpurple/util.c	2014-03-14 17:13:31.206897505 +0100
@@ -33,6 +33,8 @@
 #include "prefs.h"
 #include "util.h"
 
+#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
+
 struct _PurpleUtilFetchUrlData
 {
 	PurpleUtilFetchUrlCallback callback;
@@ -3728,11 +3730,12 @@ process_chunked_data(char *data, gsize *
 			break;
 		s += 2;
 
-		if (s + sz > data + *len) {
+		if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) {
 			purple_debug_error("util", "Error processing chunked data: "
 					"Chunk size %" G_GSIZE_FORMAT " bytes was longer "
 					"than the data remaining in the buffer (%"
 					G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s);
+			break;
 		}
 
 		/* Move all data overtop of the chunk length that we read in earlier */
@@ -3740,7 +3743,7 @@ process_chunked_data(char *data, gsize *
 		p += sz;
 		s += sz;
 		newlen += sz;
-		if (*s != '\r' && *(s + 1) != '\n') {
+		if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) {
 			purple_debug_error("util", "Error processing chunked data: "
 					"Expected \\r\\n, found: %s\n", s);
 			break;