74fa0fbc55
- fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
29 lines
1.3 KiB
Diff
29 lines
1.3 KiB
Diff
Index: khtml/ecma/kjs_html.cpp
|
|
===================================================================
|
|
--- khtml/ecma/kjs_html.cpp (revision 1001151)
|
|
+++ khtml/ecma/kjs_html.cpp (revision 1001152)
|
|
@@ -69,6 +69,9 @@
|
|
#include <QtCore/QList>
|
|
#include <QtCore/QHash>
|
|
|
|
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
|
|
+#define MAX_SELECT_LENGTH 10000
|
|
+
|
|
using namespace DOM;
|
|
|
|
namespace KJS {
|
|
@@ -2454,8 +2457,12 @@
|
|
case SelectValue: { select.setValue(str.implementation()); return; }
|
|
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
|
|
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
|
|
+
|
|
if ( coll )
|
|
- coll->put(exec,"length",value);
|
|
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
|
|
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
|
|
+ else
|
|
+ coll->put(exec, "length", value);
|
|
return;
|
|
}
|
|
// read-only: form
|