diff -up pidgin-2.6.6/libpurple/ntlm.c.CVE-2010-3711 pidgin-2.6.6/libpurple/ntlm.c --- pidgin-2.6.6/libpurple/ntlm.c.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/ntlm.c 2010-10-19 17:09:08.342393608 -0400 @@ -152,9 +152,14 @@ purple_ntlm_parse_type2(const gchar *typ static guint8 nonce[8]; tmsg = (struct type2_message*)purple_base64_decode(type2, &retlen); - memcpy(nonce, tmsg->nonce, 8); - if (flags != NULL) - *flags = GUINT16_FROM_LE(tmsg->flags); + if (tmsg != NULL && retlen >= (sizeof(struct type2_message) - 1)) { + memcpy(nonce, tmsg->nonce, 8); + if (flags != NULL) + *flags = GUINT16_FROM_LE(tmsg->flags); + } else { + purple_debug_error("ntlm", "Unable to parse type2 message - returning empty nonce.\n"); + memset(nonce, 0, 8); + } g_free(tmsg); return nonce; diff -up pidgin-2.6.6/libpurple/plugins/perl/common/Util.xs.CVE-2010-3711 pidgin-2.6.6/libpurple/plugins/perl/common/Util.xs --- pidgin-2.6.6/libpurple/plugins/perl/common/Util.xs.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/plugins/perl/common/Util.xs 2010-10-19 17:09:08.342393608 -0400 @@ -238,7 +238,7 @@ purple_base16_decode(str) guchar *ret; CODE: ret = purple_base16_decode(str, &len); - if(len) { + if(ret && len > 0) { RETVAL = newSVpv((gchar *)ret, len); } else { g_free(ret); @@ -256,7 +256,7 @@ purple_base64_decode(str) guchar *ret; CODE: ret = purple_base64_decode(str, &len); - if(len) { + if(ret && len > 0) { RETVAL = newSVpv((gchar *)ret, len); } else { g_free(ret); diff -up pidgin-2.6.6/libpurple/protocols/jabber/auth_digest_md5.c.CVE-2010-3711 pidgin-2.6.6/libpurple/protocols/jabber/auth_digest_md5.c --- pidgin-2.6.6/libpurple/protocols/jabber/auth_digest_md5.c.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/protocols/jabber/auth_digest_md5.c 2010-10-19 17:09:08.348393539 -0400 @@ -182,7 +182,9 @@ digest_md5_handle_challenge(JabberStream dec_in = (char *)purple_base64_decode(enc_in, NULL); purple_debug_misc("jabber", "decoded challenge (%" - G_GSIZE_FORMAT "): %s\n", strlen(dec_in), dec_in); + G_GSIZE_FORMAT "): %s\n", + dec_in != NULL ? strlen(dec_in) : 0, + dec_in != NULL ? dec_in : "(null)"); parts = parse_challenge(dec_in); diff -up pidgin-2.6.6/libpurple/protocols/msn/slp.c.CVE-2010-3711 pidgin-2.6.6/libpurple/protocols/msn/slp.c --- pidgin-2.6.6/libpurple/protocols/msn/slp.c.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/protocols/msn/slp.c 2010-10-19 17:44:22.733409625 -0400 @@ -399,30 +399,33 @@ got_sessionreq(MsnSlpCall *slpcall, cons if (xfer) { bin = (char *)purple_base64_decode(context, &bin_len); - file_size = GUINT32_FROM_LE(*(gsize *)(bin + 8)); + if (bin) + { + file_size = GUINT32_FROM_LE(*(gsize *)(bin + 8)); - file_name = g_convert(bin + 20, MAX_FILE_NAME_LEN, "UTF-8", "UTF-16LE", - NULL, NULL, NULL); + file_name = g_convert(bin + 20, MAX_FILE_NAME_LEN, "UTF-8", "UTF-16LE", + NULL, NULL, NULL); - g_free(bin); + g_free(bin); - purple_xfer_set_filename(xfer, file_name ? file_name : ""); - g_free(file_name); - purple_xfer_set_size(xfer, file_size); - purple_xfer_set_init_fnc(xfer, msn_xfer_init); - purple_xfer_set_request_denied_fnc(xfer, msn_xfer_cancel); - purple_xfer_set_cancel_recv_fnc(xfer, msn_xfer_cancel); - purple_xfer_set_read_fnc(xfer, msn_xfer_read); - purple_xfer_set_write_fnc(xfer, msn_xfer_write); + purple_xfer_set_filename(xfer, file_name ? file_name : ""); + g_free(file_name); + purple_xfer_set_size(xfer, file_size); + purple_xfer_set_init_fnc(xfer, msn_xfer_init); + purple_xfer_set_request_denied_fnc(xfer, msn_xfer_cancel); + purple_xfer_set_cancel_recv_fnc(xfer, msn_xfer_cancel); + purple_xfer_set_read_fnc(xfer, msn_xfer_read); + purple_xfer_set_write_fnc(xfer, msn_xfer_write); - slpcall->u.incoming_data = g_byte_array_new(); + slpcall->u.incoming_data = g_byte_array_new(); - slpcall->xfer = xfer; - purple_xfer_ref(slpcall->xfer); + slpcall->xfer = xfer; + purple_xfer_ref(slpcall->xfer); - xfer->data = slpcall; + xfer->data = slpcall; - purple_xfer_request(xfer); + purple_xfer_request(xfer); + } } accepted = TRUE; diff -up pidgin-2.6.6/libpurple/protocols/myspace/message.c.CVE-2010-3711 pidgin-2.6.6/libpurple/protocols/myspace/message.c --- pidgin-2.6.6/libpurple/protocols/myspace/message.c.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/protocols/myspace/message.c 2010-10-19 17:09:08.346393561 -0400 @@ -1363,7 +1363,7 @@ msim_msg_get_binary_from_element(MsimMes * */ *binary_data = (gchar *)purple_base64_decode((const gchar *)elem->data, binary_length); - return TRUE; + return ((*binary_data) != NULL); case MSIM_TYPE_BINARY: gs = (GString *)elem->data; diff -up pidgin-2.6.6/libpurple/protocols/oscar/clientlogin.c.CVE-2010-3711 pidgin-2.6.6/libpurple/protocols/oscar/clientlogin.c --- pidgin-2.6.6/libpurple/protocols/oscar/clientlogin.c.CVE-2010-3711 2010-10-19 17:08:33.360798037 -0400 +++ pidgin-2.6.6/libpurple/protocols/oscar/clientlogin.c 2010-10-19 17:09:08.347393550 -0400 @@ -259,7 +259,7 @@ static void start_oscar_session_cb(Purpl char *tls_certname = NULL; unsigned short port; guint8 *cookiedata; - gsize cookiedata_len; + gsize cookiedata_len = 0; od = user_data; gc = od->gc; diff -up pidgin-2.6.6/libpurple/protocols/qq/im.c.CVE-2010-3711 pidgin-2.6.6/libpurple/protocols/qq/im.c --- pidgin-2.6.6/libpurple/protocols/qq/im.c.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/protocols/qq/im.c 2010-10-19 17:09:08.344393584 -0400 @@ -547,7 +547,6 @@ qq_im_format *qq_im_fmt_new_by_purple(co const gchar *start, *end, *last; GData *attribs; gchar *tmp; - unsigned char *rgb; g_return_val_if_fail(msg != NULL, NULL); @@ -570,8 +569,11 @@ qq_im_format *qq_im_fmt_new_by_purple(co tmp = g_datalist_get_data(&attribs, "color"); if (tmp && strlen(tmp) > 1) { - rgb = purple_base16_decode(tmp + 1, NULL); - g_memmove(fmt->rgb, rgb, 3); + unsigned char *rgb; + gsize rgb_len; + rgb = purple_base16_decode(tmp + 1, &rgb_len); + if (rgb != NULL && rgb_len >= 3) + g_memmove(fmt->rgb, rgb, 3); g_free(rgb); } diff -up pidgin-2.6.6/libpurple/protocols/yahoo/libymsg.c.CVE-2010-3711 pidgin-2.6.6/libpurple/protocols/yahoo/libymsg.c --- pidgin-2.6.6/libpurple/protocols/yahoo/libymsg.c.CVE-2010-3711 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/protocols/yahoo/libymsg.c 2010-10-19 17:09:08.338393653 -0400 @@ -317,7 +317,7 @@ static void yahoo_process_status(PurpleC if (pair->value) { decoded = purple_base64_decode(pair->value, &len); - if (len) { + if (decoded && len > 0) { tmp = purple_str_binary_to_ascii(decoded, len); purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp); g_free(tmp); @@ -2781,15 +2781,17 @@ static void yahoo_process_p2p(PurpleConn if (base64) { guint32 ip; YahooFriend *f; - char *host_ip; + char *host_ip, *tmp; struct yahoo_p2p_data *p2p_data; decoded = purple_base64_decode(base64, &len); - if (len) { - char *tmp = purple_str_binary_to_ascii(decoded, len); - purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp); - g_free(tmp); + if (decoded == NULL) { + purple_debug_info("yahoo","p2p: Unable to decode base64 IP (%s) \n", base64); + return; } + tmp = purple_str_binary_to_ascii(decoded, len); + purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp); + g_free(tmp); ip = strtol((gchar *)decoded, NULL, 10); g_free(decoded);