CVE-2016-2378
A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.
8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Pidgin 2.10.11
https://www.pidgin.im/
The function get_utf8_string, defined at line 231 in libpurple/protocols/mxit/chunk.c will take a maximum string length as argument. Usually this is passed in as the size of the string str that is being written to.
It will read the length of the string at line 238 and check to ensure that it is not larger than the maximum string length at line 240. If it is, it will set the length to be equal to maxstrlen.
238 pos += get_int16( &chunkdata[pos], &len );
239
240 if ( len > maxstrlen ) {
…
243 skip = len - maxstrlen;
244 len = maxstrlen;
245 }
However, len is a signed short that will be read from nthos, which will read an unsigned integer, but because len is signed it will be cast to a signed integer. If the value of len is a large positive value it will be cast to a negative value, bypassing the size check at line 240.
The call to get_data at line 248 will then result in a buffer overflow: 248 pos += get_data( &chunkdata[pos], str, len );
The function get_data will end up calling memcpy which expects an unsigned size parameter and will interpret a negative value as a large positive value.
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure
Discovered by Yves Younan of Cisco Talos.