--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200
+++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200
@@ -736,7 +736,9 @@
text = getValueName(m_value.ident);
break;
case CSSPrimitiveValue::CSS_ATTR:
- // ###
+ text = "attr(";
+ text += DOMString( m_value.string );
+ text += ")";
break;
case CSSPrimitiveValue::CSS_COUNTER:
text = "counter(";
--- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200
+++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200
@@ -1318,6 +1318,7 @@
Value *val;
CSSValueImpl *parsedValue = 0;
+ bool valid = true;
while ( (val = valueList->current()) ) {
if ( val->unit == CSSPrimitiveValue::CSS_URI ) {
// url
@@ -1336,6 +1337,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ valid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ valid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1367,7 +1376,7 @@
break;
valueList->next();
}
- if ( values->length() ) {
+ if ( valid && values->length() ) {
addProperty( propId, values, important );
valueList->next();
return true;
@@ -1384,7 +1393,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();