Opened 10 years ago
Closed 10 years ago
#3436 closed defect (fixed)
purple_markup_html_to_xhtml in util.c segfaults given invalid html
| Reported by: | jeffr | Owned by: | nosnilmot |
|---|---|---|---|
| Milestone: | Component: | libpurple | |
| Version: | 2.2.1 | Keywords: | |
| Cc: |
Description
purple_markup_html_to_xhtml, which appears to only be called when sending an XMPP IM or chat message, can crash given strange HTML. For example, the string "<a>" will cause a segfault.
test case: purple_markup_html_to_xhtml("<a>", g_string_new(""), g_string_new(""));
Change History (4)
comment:1 Changed 10 years ago by jeffr
comment:2 Changed 10 years ago by nosnilmot
- Component changed from XMPP to libpurple
- Owner changed from nwalp to nosnilmot
- Status changed from new to assigned
- Version changed from 2.2.0 to 2.2.1
comment:3 Changed 10 years ago by QuLogic
To be more specific for this example, it expects an "href=" for every "<a>". This should only crash if the href is missing in the first <a>, since otherwise, the GString it's accessing is no longer NULL. The GString is free'd when a new href is found, so it should still be a valid pointer, though it will result in totally incorrect data.
At least, that's how I see it at the moment.
comment:4 Changed 10 years ago by lschiere@…
- Resolution set to fixed
- Status changed from assigned to closed
(In aff089bc73ecc6fe8ebbeac670db8be13511fcf4) a patch from stu for html handling.
fixes #3436
Sorry, here is a more proper test case: