[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: branches/KDE/4.3/kdelibs/kjs
From: Kevin Kofler <kevin.kofler () chello ! at>
Date: 2009-07-26 3:35:57
Message-ID: 1248579357.957322.9209.nullmailer () svn ! kde ! org
[Download RAW message or body]
SVN commit 1002473 by kkofler:
Fix integer overflow in KJS JavaScript garbage collector (CVE-2009-1687). Patch \
adapted from WebKit changeset 41854 by Geoffrey Garen.
FIXME: This will still crash (as in the WebKit commit), so you can still DoS the \
browser, but at least the overflow is not exploitable anymore. Backport revision \
1002471 from trunk.
M +4 -0 collector.cpp
--- branches/KDE/4.3/kdelibs/kjs/collector.cpp #1002472:1002473
@@ -31,6 +31,7 @@
#include "value.h"
#include <setjmp.h>
+#include <limits.h>
#include <algorithm>
#if PLATFORM(DARWIN)
@@ -109,6 +110,9 @@
void append(CollectorBlock* block) {
if (m_used == m_capacity) {
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / \
GROWTH_FACTOR; + if (m_capacity > maxNumBlocks)
+ CRASH();
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * \
sizeof(CollectorBlock *))); }
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic