[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    KDE/kdelibs/khtml/ecma
From:       Jaroslav Řezník <jreznik () redhat ! com>
Date:       2009-07-22 15:06:32
Message-ID: 1248275192.431245.3299.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 1001060 by jreznik:

cve-2009-2573 - big value caused DoS, limited to 10000 elements

 M  +8 -1      kjs_html.cpp  


--- trunk/KDE/kdelibs/khtml/ecma/kjs_html.cpp #1001059:1001060
@@ -69,6 +69,9 @@
 #include <QtCore/QList>
 #include <QtCore/QHash>
 
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
 using namespace DOM;
 
 namespace KJS {
@@ -2454,8 +2457,12 @@
       case SelectValue:           { select.setValue(str.implementation()); return; }
       case SelectLength:          { // read-only according to the NS spec, but \
                webpages need it writeable
                                          JSObject *coll = \
getSelectHTMLCollection(exec, select.options(), &select)->getObject(); +
                                          if ( coll )
-                                           coll->put(exec,"length",value);
+                                           if (value->toInteger(exec) >= \
MAX_SELECT_LENGTH) +                                             \
setDOMException(exec, DOMException::INDEX_SIZE_ERR); +                                \
else +                                             coll->put(exec, "length", value);
                                          return;
                                        }
       // read-only: form


[prev in list] [next in list] [prev in thread] [next in thread]