summaryrefslogtreecommitdiffstats
path: root/opensuse/core/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch
blob: 5972b0a380c16f4bbbe9859c9e1326cfaf52a81e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp
--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp	2008-02-13 10:41:09.000000000 +0100
+++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp	2009-07-26 04:54:52.000000000 +0200
@@ -62,6 +62,9 @@
 
 #include <kdebug.h>
 
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
 namespace KJS {
 
 KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
@@ -2550,8 +2553,14 @@
       case SelectValue:           { select.setValue(str); return; }
       case SelectLength:          { // read-only according to the NS spec, but webpages need it writeable
                                          Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
-                                         if ( coll.isValid() )
-                                           coll.put(exec,"length",value);
+
+                                         if ( coll.isValid() ) {
+                                           if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
+                                             Object err = Error::create(exec, RangeError);
+                                             exec->setException(err);
+                                           } else
+                                             coll.put(exec, "length", value);
+                                         }
                                          return;
                                        }
       // read-only: form