GitLab

In message.c, it seems to assume that the first '?OTR|' occurence is at the same offset as the first '?OTR' occurence. Doesn't seem to raise any security issue though.

Proposed patch:

--- ../libotr-4.1.0/src/message.c	2015-01-17 21:10:15.244660449 +0100
+++ message.c	2015-01-18 18:47:09.342512374 +0100
@@ -987,7 +987,7 @@
     otrtag = strstr(message, "?OTR");
     if (otrtag) {
 	/* See if we have a V3 fragment */
-	if (strstr(message, "?OTR|")) {
+	if (otrtag == strstr(message, "?OTR|")) {
 	    /* Get the instance tag from fragment header*/
 	    sscanf(otrtag, "?OTR|%x|%x,", &their_instance, &our_instance);
 	    /* Ignore message if it is intended for a different instance */

(from redmine: created on 2015-01-26, closed on 2015-02-08)