diff -up pidgin-2.6.6/libpurple/protocols/oscar/family_feedbag.c.CVE-2011-4601 pidgin-2.6.6/libpurple/protocols/oscar/family_feedbag.c --- pidgin-2.6.6/libpurple/protocols/oscar/family_feedbag.c.CVE-2011-4601 2010-02-16 04:34:06.000000000 -0500 +++ pidgin-2.6.6/libpurple/protocols/oscar/family_feedbag.c 2011-12-12 08:57:51.216258374 -0500 @@ -1724,18 +1724,35 @@ static int receiveauthgrant(OscarData *o int ret = 0; aim_rxcallback_t userfunc; guint16 tmp; - char *bn, *msg; + char *bn, *msg, *tmpstr; /* Read buddy name */ - if ((tmp = byte_stream_get8(bs))) - bn = byte_stream_getstr(bs, tmp); - else - bn = NULL; + tmp = byte_stream_get8(bs); + if (!tmp) { + purple_debug_warning("oscar", "Dropping auth request SNAC " + "because username was empty\n"); + return 0; + } + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping auth request SNAC " + "because the username was not valid UTF-8\n"); + g_free(bn); + } - /* Read message (null terminated) */ - if ((tmp = byte_stream_get16(bs))) + /* Read message */ + tmp = byte_stream_get16(bs); + if (tmp) { msg = byte_stream_getstr(bs, tmp); - else + if (!g_utf8_validate(msg, -1, NULL)) { + /* Ugh, msg isn't UTF8. Let's salvage. */ + purple_debug_warning("oscar", "Got non-UTF8 message in auth " + "request from %s\n", bn); + tmpstr = purple_utf8_salvage(msg); + g_free(msg); + msg = tmpstr; + } + } else msg = NULL; /* Unknown */ @@ -1798,18 +1815,35 @@ static int receiveauthrequest(OscarData int ret = 0; aim_rxcallback_t userfunc; guint16 tmp; - char *bn, *msg; + char *bn, *msg, *tmpstr; /* Read buddy name */ - if ((tmp = byte_stream_get8(bs))) - bn = byte_stream_getstr(bs, tmp); - else - bn = NULL; + tmp = byte_stream_get8(bs); + if (!tmp) { + purple_debug_warning("oscar", "Dropping auth grant SNAC " + "because username was empty\n"); + return 0; + } + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping auth grant SNAC " + "because the username was not valid UTF-8\n"); + g_free(bn); + } - /* Read message (null terminated) */ - if ((tmp = byte_stream_get16(bs))) + /* Read message */ + tmp = byte_stream_get16(bs); + if (tmp) { msg = byte_stream_getstr(bs, tmp); - else + if (!g_utf8_validate(msg, -1, NULL)) { + /* Ugh, msg isn't UTF8. Let's salvage. */ + purple_debug_warning("oscar", "Got non-UTF8 message in auth " + "grant from %s\n", bn); + tmpstr = purple_utf8_salvage(msg); + g_free(msg); + msg = tmpstr; + } + } else msg = NULL; /* Unknown */ @@ -1882,21 +1916,38 @@ static int receiveauthreply(OscarData *o aim_rxcallback_t userfunc; guint16 tmp; guint8 reply; - char *bn, *msg; + char *bn, *msg, *tmpstr; /* Read buddy name */ - if ((tmp = byte_stream_get8(bs))) - bn = byte_stream_getstr(bs, tmp); - else - bn = NULL; + tmp = byte_stream_get8(bs); + if (!tmp) { + purple_debug_warning("oscar", "Dropping auth reply SNAC " + "because username was empty\n"); + return 0; + } + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping auth reply SNAC " + "because the username was not valid UTF-8\n"); + g_free(bn); + } /* Read reply */ reply = byte_stream_get8(bs); - /* Read message (null terminated) */ - if ((tmp = byte_stream_get16(bs))) + /* Read message */ + tmp = byte_stream_get16(bs); + if (tmp) { msg = byte_stream_getstr(bs, tmp); - else + if (!g_utf8_validate(msg, -1, NULL)) { + /* Ugh, msg isn't UTF8. Let's salvage. */ + purple_debug_warning("oscar", "Got non-UTF8 message in auth " + "reply from %s\n", bn); + tmpstr = purple_utf8_salvage(msg); + g_free(msg); + msg = tmpstr; + } + } else msg = NULL; /* Unknown */ @@ -1922,10 +1973,18 @@ static int receiveadded(OscarData *od, F char *bn; /* Read buddy name */ - if ((tmp = byte_stream_get8(bs))) - bn = byte_stream_getstr(bs, tmp); - else - bn = NULL; + tmp = byte_stream_get8(bs); + if (!tmp) { + purple_debug_warning("oscar", "Dropping 'you were added' SNAC " + "because username was empty\n"); + return 0; + } + bn = byte_stream_getstr(bs, tmp); + if (!g_utf8_validate(bn, -1, NULL)) { + purple_debug_warning("oscar", "Dropping 'you were added' SNAC " + "because the username was not valid UTF-8\n"); + g_free(bn); + } if ((userfunc = aim_callhandler(od, snac->family, snac->subtype))) ret = userfunc(od, conn, frame, bn);