diff options
| author | jgeboski <jgeboski@gmail.com> | 2015-12-20 20:26:24 -0500 |
|---|---|---|
| committer | jgeboski <jgeboski@gmail.com> | 2015-12-20 20:26:24 -0500 |
| commit | 28ec26e7ca9b1909c65939cea7f55fc72c55ed9c (patch) | |
| tree | c4a5345d6990f46cd437aff235e26bc200538d0f /facebook/facebook-json.c | |
| parent | 00c0ae832b2f04969d205b951ae37b9bc884b84f (diff) | |
| download | bitlbee-facebook-28ec26e7ca9b1909c65939cea7f55fc72c55ed9c.tar.gz bitlbee-facebook-28ec26e7ca9b1909c65939cea7f55fc72c55ed9c.tar.bz2 bitlbee-facebook-28ec26e7ca9b1909c65939cea7f55fc72c55ed9c.tar.xz | |
facebook-json: fixed a size overflow with string duplication
Unlike json_parser_load_from_data(), g_strndup() will not handle signed
sizes that are negative. This causes the size to overflow to a really
large value, and in turn lead to a segmentation fault.
The solution is simple: calculate the size of the data when the given
size is negative.
This bug was introduced by 0121bae.
Diffstat (limited to 'facebook/facebook-json.c')
| -rw-r--r-- | facebook/facebook-json.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/facebook/facebook-json.c b/facebook/facebook-json.c index 9176f03..f4d3c0d 100644 --- a/facebook/facebook-json.c +++ b/facebook/facebook-json.c @@ -256,9 +256,14 @@ fb_json_node_new(const gchar *data, gssize size, GError **error) JsonNode *root; JsonParser *prsr; + g_return_val_if_fail(data != NULL, NULL); + + if (size < 0) { + size = strlen(data); + } + /* Ensure data is null terminated for json-glib < 1.0.2 */ slice = g_strndup(data, size); - prsr = json_parser_new(); if (!json_parser_load_from_data(prsr, slice, size, error)) { |