Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 77368 Details for
Bug 118550
kde-base/kdelibs: kjs heap based buffer overflow (CVE-2006-0019)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
post-3.4.3-kdelibs-kjs.diff
post-3.4.3-kdelibs-kjs.diff (text/plain), 1.53 KB, created by
Carsten Lohrke (RETIRED)
on 2006-01-17 12:01:26 UTC
(
hide
)
Description:
post-3.4.3-kdelibs-kjs.diff
Filename:
MIME Type:
Creator:
Carsten Lohrke (RETIRED)
Created:
2006-01-17 12:01:26 UTC
Size:
1.53 KB
patch
obsolete
>Index: kjs/function.cpp >=================================================================== >--- kjs/function.cpp (revision 495921) >+++ kjs/function.cpp (working copy) >@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri > } > else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) { > >- if (k == string.size()) { >+ // we need two chars >+ if (k + 1 >= string.size()) { > Object err = Error::create(exec,URIError); > exec->setException(err); > free(encbuf); >@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri > } > > k += 2; >+ >+ if (decbufLen+2 >= decbufAlloc) >+ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar)); >+ > if ((B & 0x80) == 0) { > // Single-byte character > C = B; >@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri > assert(n == 4); > unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03); > unsigned long vvvv = uuuuu-1; >+ if (vvvv > 0x0F) { >+ Object err = Error::create(exec,URIError); >+ exec->setException(err); >+ free(decbuf); >+ return UString(); >+ } > unsigned long wwww = octets[1] & 0x0F; > unsigned long xx = (octets[2] >> 4) & 0x03; > unsigned long yyyy = octets[2] & 0x0F; >@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri > } > > if (reservedSet.find(C) < 0) { >- if (decbufLen+1 >= decbufAlloc) >- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar)); >- decbuf[decbufLen++] = C; >+ decbuf[decbufLen++] = C; > } > else { > while (decbufLen+k-start >= decbufAlloc)
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 118550
: 77368 |
77369