kdelibs3/kdelibs-3.5.10-cve-2009-2537-select-length.patch
Kevin Kofler e57cb8baa2 - fix CVE-2009-2537 - select length DoS
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
2009-07-26 03:09:15 +00:00

31 lines
1.6 KiB
Diff

diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp
--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp 2008-02-13 10:41:09.000000000 +0100
+++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp 2009-07-26 04:54:52.000000000 +0200
@@ -62,6 +62,9 @@
#include <kdebug.h>
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
namespace KJS {
KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
@@ -2550,8 +2553,14 @@
case SelectValue: { select.setValue(str); return; }
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
- if ( coll.isValid() )
- coll.put(exec,"length",value);
+
+ if ( coll.isValid() ) {
+ if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
+ Object err = Error::create(exec, RangeError);
+ exec->setException(err);
+ } else
+ coll.put(exec, "length", value);
+ }
return;
}
// read-only: form