Talos Vulnerability Report


Pidgin libpurple MSN Message Parsing NULL Dereference Denial of Service Vulnerability

May 11, 2015
CVE Number


A exploitable denial of service vulnerability exists in Pidgin's implem ntation of the MSN Messenger protocol in the libpurple library. An attacker who can control the contents of a MSN message cause a string search function to return a NULL pointer which is later dereferenced without validation.

Tested Versions

Pidgin 2.10.7

Product URLs



In file libpurple/protocols/msn/msg.c at line 199 in function msnmessageparsepayload(), the following code exists:

    if ((cur == ' ') || (cur == '\t')) {
        tokens = gstrsplit(g_strchug(*cur), "=\"", 2);
        key = tokens[0];
        value = tokens[1];

    /* The only one I care about is 'boundary' (which is folded from
       the key 'Content-Type'), so only process that. */
    if (!strcmp(key, "boundary")) {
        char *end = strchr(value, '\"');
        *end = '\0';

If a message contains 'boundary = "value' (i.e. without a closing quote) then the strchr function call at line 199 will return NULL. This NULL pointer is dereferenced on the following line, resulting in program termination.


Yves Younan of Sourcefire VRT