Rebase CVE-2009-1698 patch.
This commit is contained in:
parent
e57cb8baa2
commit
5e929decd1
@ -1,5 +1,34 @@
|
|||||||
--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200
|
diff -ur kdelibs-3.5.10/khtml/css/cssparser.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp
|
||||||
+++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200
|
--- kdelibs-3.5.10/khtml/css/cssparser.cpp 2007-01-15 12:34:04.000000000 +0100
|
||||||
|
+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 05:46:39.000000000 +0200
|
||||||
|
@@ -1344,6 +1344,14 @@
|
||||||
|
if ( args->size() != 1)
|
||||||
|
return false;
|
||||||
|
Value *a = args->current();
|
||||||
|
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
|
||||||
|
+ isValid=false;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (qString(a->string)[0] == '-') {
|
||||||
|
+ isValid=false;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1396,7 +1404,8 @@
|
||||||
|
|
||||||
|
CounterImpl *counter = new CounterImpl;
|
||||||
|
Value *i = args->current();
|
||||||
|
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||||||
|
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||||||
|
+ if (qString(i->string)[0] == '-') goto invalid;
|
||||||
|
counter->m_identifier = domString(i->string);
|
||||||
|
if (counters) {
|
||||||
|
i = args->next();
|
||||||
|
diff -ur kdelibs-3.5.10/khtml/css/css_valueimpl.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp
|
||||||
|
--- kdelibs-3.5.10/khtml/css/css_valueimpl.cpp 2006-07-22 10:16:49.000000000 +0200
|
||||||
|
+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 05:45:36.000000000 +0200
|
||||||
@@ -736,7 +736,9 @@
|
@@ -736,7 +736,9 @@
|
||||||
text = getValueName(m_value.ident);
|
text = getValueName(m_value.ident);
|
||||||
break;
|
break;
|
||||||
@ -11,47 +40,3 @@
|
|||||||
break;
|
break;
|
||||||
case CSSPrimitiveValue::CSS_COUNTER:
|
case CSSPrimitiveValue::CSS_COUNTER:
|
||||||
text = "counter(";
|
text = "counter(";
|
||||||
--- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200
|
|
||||||
+++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200
|
|
||||||
@@ -1318,6 +1318,7 @@
|
|
||||||
|
|
||||||
Value *val;
|
|
||||||
CSSValueImpl *parsedValue = 0;
|
|
||||||
+ bool valid = true;
|
|
||||||
while ( (val = valueList->current()) ) {
|
|
||||||
if ( val->unit == CSSPrimitiveValue::CSS_URI ) {
|
|
||||||
// url
|
|
||||||
@@ -1336,6 +1337,14 @@
|
|
||||||
if ( args->size() != 1)
|
|
||||||
return false;
|
|
||||||
Value *a = args->current();
|
|
||||||
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
|
|
||||||
+ valid=false;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ if (qString(a->string)[0] == '-') {
|
|
||||||
+ valid=false;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
@@ -1367,7 +1376,7 @@
|
|
||||||
break;
|
|
||||||
valueList->next();
|
|
||||||
}
|
|
||||||
- if ( values->length() ) {
|
|
||||||
+ if ( valid && values->length() ) {
|
|
||||||
addProperty( propId, values, important );
|
|
||||||
valueList->next();
|
|
||||||
return true;
|
|
||||||
@@ -1384,7 +1393,8 @@
|
|
||||||
|
|
||||||
CounterImpl *counter = new CounterImpl;
|
|
||||||
Value *i = args->current();
|
|
||||||
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
|
||||||
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
|
||||||
+ if (qString(i->string)[0] == '-') goto invalid;
|
|
||||||
counter->m_identifier = domString(i->string);
|
|
||||||
if (counters) {
|
|
||||||
i = args->next();
|
|
@ -107,7 +107,7 @@ Patch202: kdelibs-3.5.4-CVE-2009-1687.patch
|
|||||||
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
|
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
|
||||||
Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
|
Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
|
||||||
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
|
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
|
||||||
Patch204: kdelibs-3.5.4-CVE-2009-1698.patch
|
Patch204: kdelibs-3.5.10-cve-2009-1698.patch
|
||||||
|
|
||||||
#{?arts:Requires: arts >= %{arts_ev}}
|
#{?arts:Requires: arts >= %{arts_ev}}
|
||||||
#Requires: %{qt3} >= %{qt3_ev}
|
#Requires: %{qt3} >= %{qt3_ev}
|
||||||
|
Loading…
Reference in New Issue
Block a user