On 2006/09/16 20:11, Max Kellermann <[EMAIL PROTECTED]> wrote:
> The bug is caused by a wrong sscanf() return value check. The
> sscanf() is called with two escapes, but the caller only checks
> whether one of those is valid. This patch expands the check to both
> values.
I was wrong, since '%n' does not increment sscanf's return value.
Unfortunately, there is no way for the sscanf caller to see the
difference between "everything was parsed fine" and "no colon
detected, the variable 'realstart' wasn't assigned".
I changed the patch and removed the colon from the sscanf format
string. The colon check is performed manually.
--- keys.c.orig 2006-09-16 20:37:43.474826000 +0200
+++ keys.c 2006-09-16 20:32:56.464889000 +0200
@@ -211,13 +211,20 @@
return;
}
- if ( (sscanf(key_len_msg, ": Len %u:%n", &length, &realstart) < 1) ||
+ if ( (sscanf(key_len_msg, ": Len %u%n", &length, &realstart) < 1) ||
(realstart == 0) ) {
gaim_debug(GAIM_DEBUG_ERROR, "gaim-encryption", "Error in key header\n");
return;
}
key_len_msg += realstart;
+ if (key_len_msg[0] != ':') {
+ gaim_debug(GAIM_DEBUG_ERROR, "gaim-encryption", "Colon expected\n");
+ return;
+ }
+
+ ++key_len_msg;
+
if (strlen(key_len_msg) < length) {
gaim_debug(GAIM_DEBUG_ERROR, "gaim-encryption", "Length doesn't match in
add_key\n");
return;
