74fa0fbc55
- fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
43 lines
1.8 KiB
Diff
43 lines
1.8 KiB
Diff
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
|
|
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
|
|
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
|
|
@@ -1513,6 +1513,14 @@
|
|
if ( args->size() != 1)
|
|
return false;
|
|
Value *a = args->current();
|
|
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
|
|
+ isValid=false;
|
|
+ break;
|
|
+ }
|
|
+ if (qString(a->string)[0] == '-') {
|
|
+ isValid=false;
|
|
+ break;
|
|
+ }
|
|
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
|
|
}
|
|
else
|
|
@@ -1565,7 +1573,8 @@
|
|
|
|
CounterImpl *counter = new CounterImpl;
|
|
Value *i = args->current();
|
|
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
|
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
|
+ if (qString(i->string)[0] == '-') goto invalid;
|
|
counter->m_identifier = domString(i->string);
|
|
if (counters) {
|
|
i = args->next();
|
|
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
|
|
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
|
|
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
|
|
@@ -1212,7 +1212,9 @@
|
|
text = getValueName(m_value.ident);
|
|
break;
|
|
case CSSPrimitiveValue::CSS_ATTR:
|
|
- // ###
|
|
+ text = "attr(";
|
|
+ text += DOMString( m_value.string );
|
|
+ text += ")";
|
|
break;
|
|
case CSSPrimitiveValue::CSS_COUNTER:
|
|
text = "counter(";
|