Patch was adjusted to be applied to pidgin 2.11.0 Original: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9 https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9bf6bffcafa156c14a4c7b3640837/raw # HG changeset patch # User Eion Robb # Date 1487624732 0 # Branch EionRobb/fix-for-crash-when-sending-invalid-xml-e-1487474010880 # Node ID b2fc9e774cb9bf6bffcafa156c14a4c7b3640837 # Parent 6745ecd124da91d6711ebab8812247bcd785939a Use the more robust entity processing that @dequisdequis came up with diff --git a/libpurple/util.c b/libpurple/util.c --- a/libpurple/util.c +++ b/libpurple/util.c @@ -978,18 +978,29 @@ pln = "\302\256"; /* or use g_unichar_to_utf8(0xae); */ else if(IS_ENTITY("'")) pln = "\'"; - else if(*(text+1) == '#' && - (sscanf(text, "&#%u%1[;]", £, temp) == 2 || - sscanf(text, "&#x%x%1[;]", £, temp) == 2) && - pound != 0) { + else if(text[1] == '#' && g_ascii_isxdigit(text[2])) { static char buf[7]; - int buflen = g_unichar_to_utf8((gunichar)pound, buf); + const char *start = text + 2; + char *end; + guint64 pound; + int base = 10; + int buflen; + + if (*start == 'x') { + base = 16; + start++; + } + + pound = g_ascii_strtoull(start, &end, base); + if (pound == 0 || pound > INT_MAX || *end != ';') { + return NULL; + } + + len = (end - text) + 1; + + buflen = g_unichar_to_utf8((gunichar)pound, buf); buf[buflen] = '\0'; pln = buf; - - len = (*(text+2) == 'x' ? 3 : 2); - while(isxdigit((gint) text[len])) len++; - if(text[len] == ';') len++; } else return NULL;