blob: 5972b0a380c16f4bbbe9859c9e1326cfaf52a81e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp
--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp 2008-02-13 10:41:09.000000000 +0100
+++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp 2009-07-26 04:54:52.000000000 +0200
@@ -62,6 +62,9 @@
#include <kdebug.h>
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
namespace KJS {
KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
@@ -2550,8 +2553,14 @@
case SelectValue: { select.setValue(str); return; }
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
- if ( coll.isValid() )
- coll.put(exec,"length",value);
+
+ if ( coll.isValid() ) {
+ if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
+ Object err = Error::create(exec, RangeError);
+ exec->setException(err);
+ } else
+ coll.put(exec, "length", value);
+ }
return;
}
// read-only: form
|
