[Sec] Remote crash with multiple magnet links

The following was submitted to http://www.securityfocus.com/archive/1

DC++ 0.797 and 0.799 can be remotely crashed by posting multiple magnet links in one message

Background
DC++ [1] is a chat and file sharing application for the Direct Connect [2] network.

DC++ registers the URI scheme ‘magnet’ [3] in Microsoft Windows. A user may post a magnet link in the chat at it will appear for other users. This message is like any other chat message.

Security issue description
DC++ 0.797 and 0.799 change the way a magnet link appear, which cause a problem in the parsing engine when multiple messages were shown.

A magnet link is sent in the form of;
magnet:?xt=urn:tree> :tiger:> H5K2DYQC7U2H6DVGRPLCSNC3MH2UXBDWIKAMFEY&xl=413253784&dn=foobar.iso

DC++ changes the appearance and display to the user;
foobar.iso (magnet)

Using multiple magnet links can cause DC++ 0.797 and 0.799 to be crashed remotely, without any other user interaction.

A test message can be in the form of;
Test: magnet:?xt=urn:tree> :tiger:> H5K2DYQC7U2H6DVGRPLCSNC3MH2UXBDWIKAMFEY&xl=413253784&dn=foobar.iso magnet:?xt=urn:tree> :tiger:> GNPE66SMDITMA6JXLWCTCRDSY7ALZXLJJWYKLAA&xl=3540652293&dn=foobar2.iso
This will appear as;
Test: foobar.iso (magnet) foobar2.iso (magnet)

Fix description
A fix was deploy to the DC++ source code, to the Bazaar revision 3019. This fix is in DC++ 0.800.

Exploits
Like the initial bug report [4] mentions, this has been found out in the open. However, any malicious intent is unknown.

Affected versions
DC++ 0.797 and 0.799. Any modifcations to the software may also have this issue.

Found by: Skip de Groot (> https://launchpad.net/~skipdegroot> )
Fixed by: poy (> https://launchpad.net/~poy> )

References
[1] > http://dcplusplus.sourceforge.net/
[2] > http://en.wikipedia.org/wiki/Direct_Connect_(file_sharing)
[3] > http://en.wikipedia.org/wiki/Magnet_URI_scheme
[4] > https://bugs.launchpad.net/dcplusplus/+bug/1032227
[5] > http://dcpp.wordpress.com/2012/10/06/mainchat-crashing-dc-0-785-0-799/