iiiypuk/hexchat
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix oob read in ctcp_check

Browse Source 
word[4] can be too short, leading to the addition of ctcp_offset
putting us out of bounds. This results in an oob read in ctcp_check.
This commit is contained in:
Joseph Bisch
2017-10-16 20:31:21 -04:00
committed by TingPing
parent 1452e803fb
commit a3db4e5773
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/common/ctcp.c
View File

@@ -148,6 +148,9 @@ ctcp_handle (session *sess, char *to, char *nick, char *ip,
serv->p_nctcp (serv, nick, outbuf); serv->p_nctcp (serv, nick, outbuf);
} }
if (word[4][1] == '\0')
return;
if (!ctcp_check (sess, nick, word, word_eol, word[4] + ctcp_offset)) if (!ctcp_check (sess, nick, word, word_eol, word[4] + ctcp_offset))
{ {
if (!g_ascii_strncasecmp (msg, "SOUND", 5)) if (!g_ascii_strncasecmp (msg, "SOUND", 5))