fixing msn file transfer crash (CVE-2008-2955)
mmarek at suse.cz
Thu Aug 7 11:00:19 EDT 2008
Michal Marek wrote:
> * add a flag to struct MsnSlpMessage which tells msn_slpmsg_destroy()
> that this instance shouldn't be freed, but another flag should be set
> * set the first flag in msn_slplink_process_msg() before calling
> purple_xfer_start(), so that the slpmsg pointer is still valid after
> returning from purple_xfer_start(), and check ourselves whether
> msn_slpmsg_destroy() was called.
> What do you think about such solution?
Reply to myself - I didn't notice a patch for that issue commited a few
hours ago to msn/ that fixes the same issue (and is more elegant). And
it also works when applied to msnp9/, so my patch can be ignored.
More information about the Devel