changeset
Merged in EionRobb/security/EionRobb/fix-for-crash-when-sending-invalid-xml-e-1487474010880 (pull request #15)
Wed, 01 Mar 2017 03:13:00 +0000
- author
- Gary Kramlich <grim@reaperworld.com>
- date
- Wed, 01 Mar 2017 03:13:00 +0000
- branch
- release-2.x.y
- changeset 38227
- e85451478ebe
- parent 38224
- d51eda86db9e (current diff)
- parent 38226
- b2fc9e774cb9 (diff)
- child 38228
- 018fa8075345
Merged in EionRobb/security/EionRobb/fix-for-crash-when-sending-invalid-xml-e-1487474010880 (pull request #15)
Fix for crash when sending invalid xml entities separated by whitespace, eg "&# 3000;"
Approved-by: Gary Kramlich
Approved-by: dx
--- a/libpurple/util.c Sun Feb 19 03:30:18 2017 +0000 +++ b/libpurple/util.c Wed Mar 01 03:13:00 2017 +0000 @@ -978,18 +978,29 @@ pln = "\302\256"; /* or use g_unichar_to_utf8(0xae); */ else if(IS_ENTITY("'")) pln = "\'"; - else if(*(text+1) == '#' && - (sscanf(text, "&#%u%1[;]", £, temp) == 2 || - sscanf(text, "&#x%x%1[;]", £, temp) == 2) && - pound != 0) { + else if(text[1] == '#' && g_ascii_isxdigit(text[2])) { static char buf[7]; - int buflen = g_unichar_to_utf8((gunichar)pound, buf); + const char *start = text + 2; + char *end; + guint64 pound; + int base = 10; + int buflen; + + if (*start == 'x') { + base = 16; + start++; + } + + pound = g_ascii_strtoull(start, &end, base); + if (pound == 0 || pound > INT_MAX || *end != ';') { + return NULL; + } + + len = (end - text) + 1; + + buflen = g_unichar_to_utf8((gunichar)pound, buf); buf[buflen] = '\0'; pln = buf; - - len = (*(text+2) == 'x' ? 3 : 2); - while(isxdigit((gint) text[len])) len++; - if(text[len] == ';') len++; } else return NULL;
