kdelibs3/kdelibs-3.5.4-CVE-2009-1687.patch
Kevin Kofler e57cb8baa2 - fix CVE-2009-2537 - select length DoS
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
2009-07-26 03:09:15 +00:00

21 lines
769 B
Diff

--- kdelibs-3.5.4/kjs/collector.cpp.CVE-2009-1687 2009-06-17 15:07:33.000000000 +0200
+++ kdelibs-3.5.4/kjs/collector.cpp 2009-06-20 00:42:48.000000000 +0200
@@ -23,6 +23,7 @@
#include "value.h"
#include "internal.h"
+#include <limits.h>
#ifndef MAX
#define MAX(a,b) ((a) > (b) ? (a) : (b))
@@ -119,6 +120,9 @@
// didn't find one, need to allocate a new block
if (heap.usedBlocks == heap.numBlocks) {
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
+ if (heap.numBlocks > maxNumBlocks)
+ return 0L;
heap.numBlocks = MAX(MIN_ARRAY_SIZE, heap.numBlocks * GROWTH_FACTOR);
heap.blocks = (CollectorBlock **)realloc(heap.blocks, heap.numBlocks * sizeof(CollectorBlock *));
}