From 30a92754bb650c3dedd507d41110443142899a65 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Mon, 29 May 2017 14:43:24 -0400 Subject: [PATCH 1/2] Fix oob read of one byte in get_file_params_count{,_resume} We can use continue to handle cases such as: "abc" --- src/irc/dcc/dcc-get.c | 2 ++ src/irc/dcc/dcc-resume.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/irc/dcc/dcc-get.c b/src/irc/dcc/dcc-get.c index 73c1b864..eff516db 100644 --- a/src/irc/dcc/dcc-get.c +++ b/src/irc/dcc/dcc-get.c @@ -382,6 +382,8 @@ int get_file_params_count(char **params, int paramcount) if (*params[0] == '"') { /* quoted file name? */ for (pos = 0; pos < paramcount-3; pos++) { + if (strlen(params[pos]) == 0) + continue; if (params[pos][strlen(params[pos])-1] == '"' && get_params_match(params, pos+1)) return pos+1; diff --git a/src/irc/dcc/dcc-resume.c b/src/irc/dcc/dcc-resume.c index 36f84ddf..ce0ac925 100644 --- a/src/irc/dcc/dcc-resume.c +++ b/src/irc/dcc/dcc-resume.c @@ -62,6 +62,8 @@ int get_file_params_count_resume(char **params, int paramcount) if (*params[0] == '"') { /* quoted file name? */ for (pos = 0; pos < paramcount-2; pos++) { + if (strlen(params[pos]) == 0) + continue; if (params[pos][strlen(params[pos])-1] == '"' && get_params_match_resume(params, pos+1)) return pos+1; From 528f51bfbe5c65c5b24546faa244009dd5b3c586 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Wed, 17 May 2017 10:08:51 -0400 Subject: [PATCH 2/2] Fix dcc_request where addr is NULL --- src/irc/dcc/dcc-get.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/irc/dcc/dcc-get.c b/src/irc/dcc/dcc-get.c index 73c1b864..98294099 100644 --- a/src/irc/dcc/dcc-get.c +++ b/src/irc/dcc/dcc-get.c @@ -428,6 +428,10 @@ static void ctcp_msg_dcc_send(IRC_SERVER_REC *server, const char *data, int p_id = -1; int passive = FALSE; + if (addr == NULL) { + addr = ""; + } + /* SEND
[...] */ /* SEND
0 (DCC SEND passive protocol) */ params = g_strsplit(data, " ", -1);