Talos Vulnerability Report


Pidgin MXIT Markup Command Denial of Service Vulnerability

June 21, 2016

Report ID



A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

CVSSv3 Score

5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Tested Versions

Pidgin 2.10.11

Product URLs



When handling markup commands there are insufficient checks to validate that all required fields have been provided to successfully execute the command, potentially resulting in a null pointer dereference when trying to use those values.

When a command is received in a message, the function mxit_parse_command() is called. This function is defined at line 562 in the file mxit/formcmds.c.

This function excepts to find values in the key=value format and will insert these pairs into a hashtable:

hash = command_tokenize(start);	/* break into <key,value> pairs */

It will then check what type of command it is dealing with and will call the appropriate function.

Two functions in particular will rely on key/value pairs that, if not defined, will cause a null pointer dereference.

The first function is command_imagestrip(), defined at line 383 in mxit/formcmds.c:

At lines 393-399 it will look up the values of the keys nm, v and dat:

/* image strip name */
name = g_hash_table_lookup(hash, "nm");

/* validator */
validator = g_hash_table_lookup(hash, "v");

/* image data */
tmp = g_hash_table_lookup(hash, "dat");

While there is a check at line 400 to ensure that tmp is not NULL, there are no similar checks for name and validator. This will cause a null pointer dereference when they are used at lines 419 and 420:

escname = g_strdup(purple_escape_filename(name));
escvalidator = g_strdup(purple_escape_filename(validator));

The keys fw, fh and layer have similar errors at lines 432-439:

tmp = g_hash_table_lookup(hash, "fw");
width = atoi(tmp);

tmp = g_hash_table_lookup(hash, "fh");
height = atoi(tmp);

tmp = g_hash_table_lookup(hash, "layer");
layer = atoi(tmp);

Similar errors also occur in the function command_table() defined in mxit/formcmds.c at lines 530-543:

tmp = g_hash_table_lookup(hash, "col");
nr_columns = atoi(tmp);

/* number of rows */
tmp = g_hash_table_lookup(hash, "row");
nr_rows = atoi(tmp);

/* mode */
tmp = g_hash_table_lookup(hash, "mode");
mode = atoi(tmp);

/* table data */
tmp = g_hash_table_lookup(hash, "d");
coldata = g_strsplit(tmp, "~", 0);

If any of these key/value pairs are missing, a crash will ensue.


Discovered by Yves Younan of Cisco Talos.


2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure