From 9698fc0a190f958fa28a8e54b2bfd6ccfdb2aa18 Mon Sep 17 00:00:00 2001 From: dequis Date: Wed, 12 Oct 2016 05:07:25 -0300 Subject: jabber: Don't pass a readonly empty string to imcb_chat_topic() Fixes crashes when a topic is unset and strip_html is set to always. Turns out that the strip_html() function does a strcpy at the end which may write a single null byte over the null byte of the empty string, and if it's not in writable memory, that blows up. Thanks to iamthemcmaster / mcm for pointing this out --- protocols/jabber/conference.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'protocols') diff --git a/protocols/jabber/conference.c b/protocols/jabber/conference.c index 3a6cff7c..593e4233 100644 --- a/protocols/jabber/conference.c +++ b/protocols/jabber/conference.c @@ -465,7 +465,8 @@ void jabber_chat_pkt_message(struct im_connection *ic, struct jabber_buddy *bud, } if (subject && chat) { - char *subject_text = subject->text_len > 0 ? subject->text : ""; + char empty[1] = ""; + char *subject_text = subject->text_len > 0 ? subject->text : empty; if (g_strcmp0(chat->topic, subject_text) != 0) { bare_jid = (bud) ? jabber_get_bare_jid(bud->ext_jid) : NULL; imcb_chat_topic(chat, bare_jid, subject_text, -- cgit v1.2.3