Attachment 22896 Details for Bug 59194

[patch] the patch. The MSN things, again, are already fixed by us

gaim-0.81-security2.diff (text/plain), 10.06 KB, created by Sebastian Krahmer on 2004-08-25 16:42:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sebastian Krahmer

Created: 2004-08-25 16:42:12 UTC

Size: 10.06 KB

patch

obsolete

>diff -ruN gaim-0.81/src/gtkprefs.c gaim-0.81-patched/src/gtkprefs.c
>--- gaim-0.81/src/gtkprefs.c	2004-07-27 20:07:02.000000000 -0400
>+++ gaim-0.81-patched/src/gtkprefs.c	2004-08-23 22:23:20.464472424 -0400
>@@ -523,7 +523,7 @@
> 
> void theme_install_theme(char *path, char *extn) {
> #ifndef _WIN32
>-	gchar *command;
>+	gchar *command, *escaped;
> #endif
> 	gchar *destdir;
> 	gchar *tail;
>@@ -544,7 +544,9 @@
> 	 * other platforms, if need be */
> 	if (!g_ascii_strcasecmp(tail, ".gz") || !g_ascii_strcasecmp(tail, ".tgz")) {
> #ifndef _WIN32
>-		command = g_strdup_printf("tar > /dev/null xzf \"%s\" -C %s", path, destdir);
>+		escaped = g_shell_quote(path);
>+		command = g_strdup_printf("tar > /dev/null xzf %s -C %s", escaped, destdir);
>+		g_free(escaped);
> #else
> 		if(!wgaim_gz_untar(path, destdir)) {
> 			g_free(destdir);
>diff -ruN gaim-0.81/src/protocols/msn/object.c gaim-0.81-patched/src/protocols/msn/object.c
>--- gaim-0.81/src/protocols/msn/object.c	2004-06-05 23:42:54.000000000 -0400
>+++ gaim-0.81-patched/src/protocols/msn/object.c	2004-08-23 22:23:20.465472272 -0400
>@@ -35,11 +35,18 @@
> 	if ((tag = strstr(str, id "=\"")) != NULL) \
> 	{ \
> 		char buf[16]; \
>+		size_t offset; \
> 		tag += strlen(id "=\""); \
> 		c = strchr(tag, '"'); \
>-		strncpy(buf, tag, c - tag); \
>-		buf[c - tag] = '\0'; \
>-		obj->field = atoi(buf); \
>+		if (c != NULL) \
>+		{ \
>+			memset(buf, 0, sizeof(buf)); \
>+			offset = c - tag; \
>+			if (offset >= sizeof(buf)) \
>+				offset = sizeof(buf) - 1; \
>+			strncpy(buf, tag, offset); \
>+			obj->field = atoi(buf); \
>+		} \
> 	}
> 
> static GList *local_objs;
>diff -ruN gaim-0.81/src/protocols/msn/slp.c gaim-0.81-patched/src/protocols/msn/slp.c
>--- gaim-0.81/src/protocols/msn/slp.c	2004-06-14 22:37:25.000000000 -0400
>+++ gaim-0.81-patched/src/protocols/msn/slp.c	2004-08-23 22:23:20.465472272 -0400
>@@ -645,8 +645,11 @@
> 			if ((c = strchr(status, '\r')) || (c = strchr(status, '\n')) ||
> 				(c = strchr(status, '\0')))
> 			{
>-				strncpy(temp, status, c - status);
>-				temp[c - status] = '\0';
>+				size_t offset = c - status;
>+				if (offset >= sizeof(temp))
>+					offset = sizeof(temp) - 1;
>+				strncpy(temp, status, offset);
>+				temp[offset] = '\0';	
> 			}
> 
> 			gaim_debug_error("msn", "Received non-OK result: %s\n", temp);
>diff -ruN gaim-0.81/src/protocols/novell/nmevent.c gaim-0.81-patched/src/protocols/novell/nmevent.c
>--- gaim-0.81/src/protocols/novell/nmevent.c	2004-06-12 11:13:29.000000000 -0400
>+++ gaim-0.81-patched/src/protocols/novell/nmevent.c	2004-08-23 22:32:49.957896264 -0400
>@@ -27,6 +27,8 @@
> #include "nmuserrecord.h"
> #include "nmrtf.h"
> 
>+#define MAX_UINT32 0xFFFFFFFF
>+
> struct _NMEvent
> {
> 
>@@ -147,6 +149,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -160,8 +164,9 @@
> 	/* Read the message text */
> 	if (rc == NM_OK) {
> 		rc = nm_read_uint32(conn, &size);
>-		if (rc == NM_OK) {
>+		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
> 
>+		if (rc == NM_OK) {
> 			msg = g_new0(char, size + 1);
> 			rc = nm_read_all(conn, msg, size);
> 
>@@ -265,6 +270,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -273,6 +280,8 @@
> 	/* Read the the message */
> 	if (rc == NM_OK) {
> 		rc = nm_read_uint32(conn, &size);
>+		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 		if (rc == NM_OK) {
> 			msg = g_new0(char, size + 1);
> 			rc = nm_read_all(conn, msg, size);
>@@ -340,6 +349,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -390,6 +401,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -427,6 +440,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -475,6 +490,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -513,6 +530,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -570,6 +589,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>@@ -611,11 +632,11 @@
> 
> 		/* Read the status text */
> 		rc = nm_read_uint32(conn, &size);
>+		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 		if (rc == NM_OK) {
>-			if (size > 0) {
>-				text = g_new0(char, size + 1);
>-				rc = nm_read_all(conn, text, size);
>-			}
>+			text = g_new0(char, size + 1);
>+			rc = nm_read_all(conn, text, size);
> 		}
> 	}
> 
>@@ -649,6 +670,8 @@
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>+	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
> 		rc = nm_read_all(conn, guid, size);
>diff -ruN gaim-0.81/src/protocols/novell/nmrtf.c gaim-0.81-patched/src/protocols/novell/nmrtf.c
>--- gaim-0.81/src/protocols/novell/nmrtf.c	2004-06-12 11:13:29.000000000 -0400
>+++ gaim-0.81-patched/src/protocols/novell/nmrtf.c	2004-08-23 22:31:54.135382576 -0400
>@@ -506,9 +506,9 @@
>     gboolean param_set = FALSE;
>     gboolean is_neg = FALSE;
>     int param = 0;
>-    char *pch;
>     char keyword[30];
>     char parameter[20];
>+	int i;
> 
>     keyword[0] = '\0';
>     parameter[0] = '\0';
>@@ -523,11 +523,11 @@
>     }
> 
> 	/* parse keyword */
>-    for (pch = keyword; isalpha(ch); rtf_get_char(ctx, &ch)) {
>-        *pch = (char) ch;
>-		pch++;
>+	for (i = 0; isalpha(ch) && (i < sizeof(keyword) - 1); rtf_get_char(ctx, &ch)) {
>+		keyword[i] = (char) ch;
>+		i++;
> 	}
>-    *pch = '\0';
>+	keyword[i] = '\0';
> 
> 	/* check for '-' indicated a negative parameter value  */
>     if (ch == '-') {
>@@ -540,11 +540,11 @@
>     if (isdigit(ch)) {
> 
>         param_set = TRUE;
>-        for (pch = parameter; isdigit(ch); rtf_get_char(ctx, &ch)) {
>-            *pch = (char) ch;
>-			pch++;
>+		for (i = 0; isdigit(ch) && (i < sizeof(parameter) - 1); rtf_get_char(ctx, &ch)) {
>+			parameter[i] = (char) ch;
>+			i++;
> 		}
>-        *pch = '\0';
>+		parameter[i] = '\0';
> 
>         ctx->param = param = atoi(parameter);
>         if (is_neg)
>diff -ruN gaim-0.81/src/protocols/zephyr/zephyr.c gaim-0.81-patched/src/protocols/zephyr/zephyr.c
>--- gaim-0.81/src/protocols/zephyr/zephyr.c	2004-07-27 20:51:27.000000000 -0400
>+++ gaim-0.81-patched/src/protocols/zephyr/zephyr.c	2004-08-23 22:30:38.018954032 -0400
>@@ -67,8 +67,8 @@
>         GSList *subscrips;
>         int last_id;
>         unsigned short port;
>-        char ourhost[MAXHOSTNAMELEN];
>-        char ourhostcanon[MAXHOSTNAMELEN];
>+        char ourhost[HOST_NAME_MAX + 1];
>+        char ourhostcanon[HOST_NAME_MAX + 1];
> };
> 
> /* struct I need for zephyr_to_html */
>@@ -860,19 +860,21 @@
> 	/* XXX This code may not be Win32 clean */
> 	struct hostent *hent;
> 	
>-	if (gethostname(zephyr->ourhost, sizeof(zephyr->ourhost)-1) == -1) {
>+	if (gethostname(zephyr->ourhost, sizeof(zephyr->ourhost)) == -1) {
> 		gaim_debug(GAIM_DEBUG_ERROR, "zephyr", "unable to retrieve hostname, %%host%% and %%canon%% will be wrong in subscriptions and have been set to unknown\n");
>-		g_stpcpy(zephyr->ourhost,"unknown");
>-		g_stpcpy(zephyr->ourhostcanon,"unknown");
>+		g_strlcpy(zephyr->ourhost, "unknown", sizeof(zephyr->ourhost));
>+		g_strlcpy(zephyr->ourhostcanon, "unknown", sizeof(zephyr->ourhostcanon));
> 		return;
> 	}
> 	
> 	if (!(hent = gethostbyname(zephyr->ourhost))) {
> 		gaim_debug(GAIM_DEBUG_ERROR,"zephyr", "unable to resolve hostname, %%canon%% will be wrong in subscriptions.and has been set to the value of %%host%%, %s\n",zephyr->ourhost);
>-		g_stpcpy(zephyr->ourhostcanon,zephyr->ourhost);
>+		g_strlcpy(zephyr->ourhostcanon, zephyr->ourhost, sizeof(zephyr->ourhostcanon));
> 		return;
> 	}
>-	g_stpcpy(zephyr->ourhostcanon,hent->h_name);
>+
>+	g_strlcpy(zephyr->ourhostcanon, hent->h_name, sizeof(zephyr->ourhostcanon));
>+
> 	return;
> }
> 
>diff -ruN gaim-0.81/src/util.c gaim-0.81-patched/src/util.c
>--- gaim-0.81/src/util.c	2004-08-05 10:17:03.000000000 -0400
>+++ gaim-0.81-patched/src/util.c	2004-08-23 22:25:06.069418032 -0400
>@@ -2627,8 +2627,8 @@
> 	 * if we make sure that there is indeed a \n in our header.
> 	 */
> 	if (p && g_strstr_len(p, data_len - (p - data), "\n")) {
>-		sscanf(p, "Content-Length: %d", (int *)&content_len);
>-		gaim_debug_misc("parse_content_len", "parsed %d\n", content_len);
>+		sscanf(p, "Content-Length: %u", (int *)&content_len);
>+		gaim_debug_misc("parse_content_len", "parsed %u\n", content_len);
> 	}
> 
> 	return content_len;
>@@ -2752,7 +2752,14 @@
> 
> 					/* In with the new. */
> 					gfud->data_len = content_len;
>-					gfud->webdata = g_malloc(gfud->data_len);
>+					gfud->webdata = g_try_malloc(gfud->data_len);
>+					if (gfud->webdata == NULL) {
>+						gaim_debug_error("gaim_url_fetch", "Failed to allocate %u bytes: %s\n", gfud->data_len, strerror(errno));
>+						gaim_input_remove(gfud->inpa);
>+						close(sock);
>+						gfud->callback(gfud->user_data, NULL, 0);
>+						destroy_fetch_url_data(gfud);
>+					}
> 				}
> 				else
> 					gfud->newline = TRUE;
>@@ -2839,11 +2846,18 @@
> 	static char buf[BUF_LEN];
> 	guint i, j = 0;
> 	char *bum;
>+		char hex[3];
> 
> 	g_return_val_if_fail(str != NULL, NULL);
> 
>+	/*
>+	 * XXX - This check could be removed and buf could be made
>+	 * dynamically allocated, but this is easier.
>+	 */
>+	if (strlen(str) >= BUF_LEN)
>+		return NULL;
>+
> 	for (i = 0; i < strlen(str); i++) {
>-		char hex[3];
> 
> 		if (str[i] != '%')
> 			buf[j++] = str[i];

Actions: View | Diff

Attachments on bug 59194: 22895 | 22896 | 22899 | 22900 | 22902 | 22904