rpms/kdelibs
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
9826456992
kdelibs/kdelibs-4.2.4-cve-2009-1690.patch
Kevin Kofler 9826456992 * Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6 
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
2009-07-26 04:20:01 +00:00

68 lines
2.1 KiB
Diff
Raw Blame History

Index: khtml/html/htmlparser.h
===================================================================
--- khtml/html/htmlparser.h (revision 983315)
+++ khtml/html/htmlparser.h (revision 983316)
@@ -157,7 +157,7 @@
/*
* the head element. Needed for crappy html which defines <base> after </head>
*/
- DOM::HTMLHeadElementImpl *head;
+ RefPtr<DOM::HTMLHeadElementImpl> head;
/*
* a possible <isindex> element in the head. Compatibility hack for
Index: khtml/html/htmlparser.cpp
===================================================================
--- khtml/html/htmlparser.cpp (revision 983315)
+++ khtml/html/htmlparser.cpp (revision 983316)
@@ -216,7 +216,6 @@
form = 0;
map = 0;
- head = 0;
end = false;
isindex = 0;
@@ -678,8 +677,7 @@
case ID_BASE:
if(!head) {
head = new HTMLHeadElementImpl(document);
- e = head;
- insertNode(e);
+ insertNode(head.get());
handled = true;
}
break;
@@ -894,7 +892,7 @@
case ID_HEAD:
if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
head = new HTMLHeadElementImpl(document);
- n = head;
+ n = head.get();
}
break;
case ID_BODY:
@@ -1907,19 +1905,19 @@
head = new HTMLHeadElementImpl(document);
HTMLElementImpl *body = doc()->body();
int exceptioncode = 0;
- doc()->documentElement()->insertBefore(head, body, exceptioncode);
+ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
if ( exceptioncode ) {
#ifdef PARSER_DEBUG
kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
#endif
- delete head;
+ delete head.get();
head = 0;
}
// If the body does not exist yet, then the <head> should be pushed as the current block.
if (head && !body) {
pushBlock(head->id(), tagPriority(head->id()));
- setCurrent(head);
+ setCurrent(head.get());
}
}
Reference in New Issue View Git Blame Copy Permalink