[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    KDE/kdelibs/kjs
From:       Kevin Kofler <kevin.kofler () chello ! at>
Date:       2009-07-26 3:33:22
Message-ID: 1248579202.149111.9041.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 1002471 by kkofler:

Fix integer overflow in KJS JavaScript garbage collector (CVE-2009-1687). Patch \
                adapted from WebKit changeset 41854 by Geoffrey Garen.
FIXME: This will still crash (as in the WebKit commit), so you can still DoS the \
browser, but at least the overflow is not exploitable anymore.

 M  +4 -0      collector.cpp  


--- trunk/KDE/kdelibs/kjs/collector.cpp #1002470:1002471
@@ -31,6 +31,7 @@
 #include "value.h"
 
 #include <setjmp.h>
+#include <limits.h>
 #include <algorithm>
 
 #if PLATFORM(DARWIN)
@@ -109,6 +110,9 @@
 
     void append(CollectorBlock* block) {
         if (m_used == m_capacity) {
+            static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / \
GROWTH_FACTOR; +            if (m_capacity > maxNumBlocks)
+                CRASH();
             m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
             m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * \
sizeof(CollectorBlock *)));  }


[prev in list] [next in list] [prev in thread] [next in thread]