CVE-2013-6490
An exploitable remote code execution vulnerability exists in Pidgin’s implementation of SIP/SIMPLE message handling. An attacker who can control the Content-Length of a SIP/SIMPLE message can cause an allocation to return NULL which can later be used to write into the lowest page of memory.
Pidgin 2.10.7 (Windows only)
In sipmsg_parse_header() in file pidgin-2.10.7\libpurple\protocols\simple\sipmsg.c at line 114, the length of the message is read from an incoming message into an int:
57 struct sipmsg *sipmsg_parse_header(const gchar *header) {
...
164 tmp2 = sipmsg_find_header(msg, "Content-Length");
115 if (tmp2 != NULL)
116 msg->bodylen = strtol(tmp2, NULL, 10);
The above sipmsg_parse_header is called from process_input() in file pidgin-2.10.7\libpurple\protocols\simple\simple.c at line 1631. If the message specifies a negative bodylen (-1), then restlen will be larger than bodylen, which means the if statement at line 1642 will be entered. The following allocation of bodylen + 1 evaluates to a size of zero:
1642 if(restlen >= msg->bodylen) {
1643 dummy = g_malloc(msg->bodylen + 1);
1644 memcpy(dummy, cur, msg->bodylen);
Unlike libc malloc, g_malloc returns NULL when it is called with a size of zero. As a result of that behavior, this ends up being a a write to the NULL page rather than the typical heap overflow. Writes to the zero page are exploitable if an attacker can cause enough allocations and exhaust enough of the memory address range to make the system map the low page.
Sourcefire VRT