Permalink
Browse files

fix #121 content_parse_string memory crash

Signed-off-by: xiehuc <xiehuc@gmail.com>
  • Loading branch information...
1 parent 832254b commit 2566177e65d64893092ea06dcc99e695e10f6da3 @xiehuc committed Dec 5, 2012
Showing with 40 additions and 30 deletions.
  1. +4 −0 KnownIssue.md
  2. +2 −2 src/liblwqq/async.h
  3. +18 −11 src/liblwqq/msg.c
  4. +16 −17 src/webqq.c
View
@@ -0,0 +1,4 @@
+KnownIssue
+==========
+
+1. webqq无法正确的处理\t.手机QQ测试可以.
View
@@ -111,9 +111,9 @@ do{\
*((int*)ev) = res;\
}while(0)
/** this return a errno of a event. */
-#define lwqq_async_event_get_result(ev) (*((int*)ev))
+#define lwqq_async_event_get_result(ev) (ev?*((int*)ev):-1)
/** this return one of errno of event in set ,so do not use it*/
-#define lwqq_async_evset_get_result(ev) (*((int*)ev))
+#define lwqq_async_evset_get_result(ev) (ev?*((int*)ev):-1)
extern int LWQQ_ASYNC_GLOBAL_SYNC_ENABLED;
#define LWQQ_SYNC_BEGIN() { LWQQ_ASYNC_GLOBAL_SYNC_ENABLED = 1;
View
@@ -1172,27 +1172,33 @@ static void parse_unescape(char* source,char *buf,int buf_len)
char* ptr = source;
size_t idx;
while(*ptr!='\0'){
+ if(buf_len<=0) return;
idx = strcspn(ptr,"\n\t\\;&\"+");
if(ptr[idx] == '\0'){
- strcpy(buf,ptr);
+ strncpy(buf,ptr,buf_len);
buf+=idx;
+ buf_len-=idx;
break;
}
- strncpy(buf,ptr,idx);
+ strncpy(buf,ptr,(idx<buf_len)?idx:buf_len);
buf+=idx;
+ buf_len-=idx;
+ if(buf_len<=0) return;
switch(ptr[idx]){
//note buf point the end position
- case '\n': strcpy(buf,"\\\\n");break;
- case '\t': strcpy(buf,"\\\\t");break;
- case '\\': strcpy(buf,"\\\\\\\\");break;
+ case '\n': strncpy(buf,"\\\\n",buf_len);break;
+ case '\t': strncpy(buf,"\\\\t",buf_len);break;
+ case '\\': strncpy(buf,"\\\\\\\\",buf_len);break;
//i dont know why ; is not worked.so we use another expression
- case ';' : strcpy(buf,"\\u003B");break;
- case '&' : strcpy(buf,"\\u0026");break;
- case '"' : strcpy(buf,"\\\\\\\"");break;
- case '+' : strcpy(buf,"\\u002B");break;
+ case ';' : strncpy(buf,"\\u003B",buf_len);break;
+ case '&' : strncpy(buf,"\\u0026",buf_len);break;
+ case '"' : strncpy(buf,"\\\\\\\"",buf_len);break;
+ case '+' : strncpy(buf,"\\u002B",buf_len);break;
}
ptr+=idx+1;
- buf+=strlen(buf);
+ idx=strlen(buf);
+ buf+=idx;
+ buf_len-=idx;
}
*buf = '\0';
}
@@ -1471,7 +1477,7 @@ LwqqAsyncEvent* lwqq_msg_send(LwqqClient *lc, LwqqMsg *msg)
{
LwqqHttpRequest *req = NULL;
char *content = NULL;
- static char data[8192];
+ char data[8192];
data[0] = '\0';
LwqqMsgMessage *mmsg;
const char *apistr;
@@ -1534,6 +1540,7 @@ LwqqAsyncEvent* lwqq_msg_send(LwqqClient *lc, LwqqMsg *msg)
"\"psessionid\":\"%s\"}",
content,lc->msg_id,lc->clientid,lc->psessionid);
format_append(data,"&clientid=%s&psessionid=%s",lc->clientid,lc->psessionid);
+ if(strlen(data)+1==sizeof(data)) return NULL;
lwqq_puts(data);
/* Create a POST request */
View
@@ -906,20 +906,23 @@ static void send_receipt(LwqqAsyncEvent* ev,void* data)
char* what = d[3];
s_free(data);
- int err = lwqq_async_event_get_result(ev);
- static char buf[1024];
- PurpleConversation* conv = find_conversation(msg->type,who,ac);
+ if(ev == NULL){
+ qq_sys_msg_write(ac,msg->type,who,"消息内容过长",PURPLE_MESSAGE_ERROR,time(NULL));
+ }else{
+ int err = lwqq_async_event_get_result(ev);
+ static char buf[1024];
+ PurpleConversation* conv = find_conversation(msg->type,who,ac);
- if(err == LWQQ_MC_LOST_CONN){
- ac->qq->dispatch(ac->qq,ac->qq->async_opt->poll_lost,NULL);
- }
- if(conv && err > 0){
- if(err == LWQQ_MC_TOO_FAST)
- snprintf(buf,sizeof(buf),"发送速度过快:\n%s",what);
- else
- snprintf(buf,sizeof(buf),"发送失败(err:%d):\n%s",err,what);
- qq_sys_msg_write(ac, msg->type, who, buf, PURPLE_MESSAGE_ERROR, time(NULL));
- //lwqq_async_dispatch(ac->qq,SYS_MSG_COME,system_msg_new(msg->type,who,ac,buf,PURPLE_MESSAGE_ERROR,time(NULL)));
+ if(err == LWQQ_MC_LOST_CONN){
+ ac->qq->dispatch(ac->qq,ac->qq->async_opt->poll_lost,NULL);
+ }
+ if(conv && err > 0){
+ if(err == LWQQ_MC_TOO_FAST)
+ snprintf(buf,sizeof(buf),"发送速度过快:\n%s",what);
+ else
+ snprintf(buf,sizeof(buf),"发送失败(err:%d):\n%s",err,what);
+ qq_sys_msg_write(ac, msg->type, who, buf, PURPLE_MESSAGE_ERROR, time(NULL));
+ }
}
LwqqMsgMessage* mmsg = msg->opaque;
@@ -968,7 +971,6 @@ static int qq_send_im(PurpleConnection *gc, const gchar *who, const gchar *what,
mmsg->f_size = 13;
mmsg->f_style.b = 0,mmsg->f_style.i = 0,mmsg->f_style.u = 0;
mmsg->f_color = s_strdup("000000");
- //PurpleConversation* conv = purple_find_conversation_with_account(PURPLE_CONV_TYPE_IM,who,ac->account);
translate_message_to_struct(lc, who, what, msg, 0);
@@ -1013,9 +1015,6 @@ static int qq_send_chat(PurpleConnection *gc, int id, const char *message, Purpl
d[2] = s_strdup(group->gid);
d[3] = s_strdup(message);
lwqq_async_add_event_listener(lwqq_msg_send(ac->qq,msg), send_receipt, d);
- //background_send_msg(ac,msg,group->gid,message,conv);
-
- //write message by hand
purple_conversation_write(conv,NULL,message,flags,time(NULL));
return 1;

0 comments on commit 2566177

Please sign in to comment.