From 89cfde63b8a29b6513d65cfb0f16b2b210257063 Mon Sep 17 00:00:00 2001 From: Francois Andriot Date: Sat, 1 Jun 2013 18:12:53 +0200 Subject: [PATCH] Fix possible DOS in konqueror (CVE-2009-2537) --- tdehtml/ecma/kjs_html.cpp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tdehtml/ecma/kjs_html.cpp b/tdehtml/ecma/kjs_html.cpp index abd059e75..83de94612 100644 --- a/tdehtml/ecma/kjs_html.cpp +++ b/tdehtml/ecma/kjs_html.cpp @@ -62,6 +62,9 @@ #include +// CVE-2009-2537 (vendors agreed on max 10000 elements) +#define MAX_SELECT_LENGTH 10000 + namespace KJS { KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto) @@ -2550,8 +2553,14 @@ void KJS::HTMLElement::putValueProperty(ExecState *exec, int token, const Value& case SelectValue: { select.setValue(str); return; } case SelectLength: { // read-only according to the NS spec, but webpages need it writeable Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) ); - if ( coll.isValid() ) - coll.put(exec,"length",value); + if ( coll.isValid() ) { + if (value.toInteger(exec) >= MAX_SELECT_LENGTH) { + Object err = Error::create(exec, RangeError); + exec->setException(err); + } else { + coll.put(exec, "length", value); + } + } return; } // read-only: form