iiiypuk/hexchat
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix oob read caused by ptr[0] being NULL in inbound_notice

Browse Source 
If ptr[0] is NULL, then strchr may return a pointer to the NULL
terminator for serv->nick_prefixes, making the if statement true, which
then leads to the pointer increment leaving ptr oob. Now we check to
ensure ptr[0] != NULL.

From the Linux manpages for strchr:
The terminating null byte is considered part of the string, so that if c is
       specified as '\0', these functions return a pointer to the terminator.
This commit is contained in:
Joseph Bisch 2017-09-18 21:40:57 -04:00 committed by TingPing
parent a388d0c553
commit f4a592c4f0
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/common/inbound.c
View File

@ -940,7 +940,7 @@ inbound_notice (server *serv, char *to, char *nick, char *msg, char *ip, int id,
sess = find_channel (serv, ptr); sess = find_channel (serv, ptr);
/* /notice [mode-prefix]#channel should end up in that channel */ /* /notice [mode-prefix]#channel should end up in that channel */
if (!sess && strchr(serv->nick_prefixes, ptr[0]) != NULL) if (!sess && ptr[0] && strchr(serv->nick_prefixes, ptr[0]) != NULL)
{ {
ptr++; ptr++;
sess = find_channel (serv, ptr); sess = find_channel (serv, ptr);