0ee6ccbd82
* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6 - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free) - fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling - fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl * Thu Jul 23 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.2.4-5 - CVE-2009-2537 - select length DoS - correct fixPopupForPlasmaboard.patch * Wed Jul 08 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-4 - fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki) * Mon Jun 15 2009 Rex Dieter <rdieter@fedoraproject.org> 4.2.4-3 - fixPopupForPlasmaboard.patch
28 lines
1.4 KiB
Diff
28 lines
1.4 KiB
Diff
diff -up kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length kdelibs-4.2.4/khtml/ecma/kjs_html.cpp
|
|
--- kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length 2009-03-26 15:44:13.000000000 +0100
|
|
+++ kdelibs-4.2.4/khtml/ecma/kjs_html.cpp 2009-07-23 10:35:55.908865609 +0200
|
|
@@ -69,6 +69,9 @@
|
|
#include <QtCore/QList>
|
|
#include <QtCore/QHash>
|
|
|
|
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
|
|
+#define MAX_SELECT_LENGTH 10000
|
|
+
|
|
using namespace DOM;
|
|
|
|
namespace KJS {
|
|
@@ -2428,8 +2431,12 @@ void KJS::HTMLElement::putValueProperty(
|
|
case SelectValue: { select.setValue(str.implementation()); return; }
|
|
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
|
|
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
|
|
+
|
|
if ( coll )
|
|
- coll->put(exec,"length",value);
|
|
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
|
|
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
|
|
+ else
|
|
+ coll->put(exec, "length", value);
|
|
return;
|
|
}
|
|
// read-only: form
|