diff options
author | lofi <lofi@FreeBSD.org> | 2006-01-20 21:58:44 +0000 |
---|---|---|
committer | lofi <lofi@FreeBSD.org> | 2006-01-20 21:58:44 +0000 |
commit | 484d798e7335f47f88824e6434693d1cb39c27fa (patch) | |
tree | 8dce271b9f8baf7d96cee35318f7af40d12ac21d /x11/kdelibs4/files | |
parent | 5051edc79f14b3917712708c525f5f0f00cadd03 (diff) | |
download | FreeBSD-ports-484d798e7335f47f88824e6434693d1cb39c27fa.zip FreeBSD-ports-484d798e7335f47f88824e6434693d1cb39c27fa.tar.gz |
Fix an incorrect bounds check in kjs, the JavaScript interpreter engine used
by Konqueror and other parts of KDE, that allowed a heap based buffer over-
flow when decoding specially crafted UTF-8 encoded URI sequencesi.
Possible impact included executing arbitrary code and crashing the web browser.
Security: http://www.kde.org/info/security/advisory-20060119-1.txt
Security: CVE-2006-0019
Diffstat (limited to 'x11/kdelibs4/files')
-rw-r--r-- | x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs b/x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs new file mode 100644 index 0000000..998f389 --- /dev/null +++ b/x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs @@ -0,0 +1,49 @@ +Index: kjs/function.cpp +=================================================================== +--- kjs/function.cpp (revision 495921) ++++ kjs/function.cpp (working copy) +@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri + } + else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) { + +- if (k == string.size()) { ++ // we need two chars ++ if (k + 1 >= string.size()) { + Object err = Error::create(exec,URIError); + exec->setException(err); + free(encbuf); +@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri + } + + k += 2; ++ ++ if (decbufLen+2 >= decbufAlloc) ++ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar)); ++ + if ((B & 0x80) == 0) { + // Single-byte character + C = B; +@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri + assert(n == 4); + unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03); + unsigned long vvvv = uuuuu-1; ++ if (vvvv > 0x0F) { ++ Object err = Error::create(exec,URIError); ++ exec->setException(err); ++ free(decbuf); ++ return UString(); ++ } + unsigned long wwww = octets[1] & 0x0F; + unsigned long xx = (octets[2] >> 4) & 0x03; + unsigned long yyyy = octets[2] & 0x0F; +@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri + } + + if (reservedSet.find(C) < 0) { +- if (decbufLen+1 >= decbufAlloc) +- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar)); +- decbuf[decbufLen++] = C; ++ decbuf[decbufLen++] = C; + } + else { + while (decbufLen+k-start >= decbufAlloc) |