summaryrefslogtreecommitdiff
path: root/x11/kdelibs3
diff options
context:
space:
mode:
authorMichael Nottebrock <lofi@FreeBSD.org>2006-01-20 21:58:44 +0000
committerMichael Nottebrock <lofi@FreeBSD.org>2006-01-20 21:58:44 +0000
commit5994b1225170cff1782eaf2cab9022a71988ef88 (patch)
tree334a27deacab8c0d568d169fb4eefb45e0d2efe4 /x11/kdelibs3
parent[patch] misc/tinderbox does not install php4-pgsql (or mysql) (diff)
Fix an incorrect bounds check in kjs, the JavaScript interpreter engine used
by Konqueror and other parts of KDE, that allowed a heap based buffer over- flow when decoding specially crafted UTF-8 encoded URI sequencesi. Possible impact included executing arbitrary code and crashing the web browser. Security: http://www.kde.org/info/security/advisory-20060119-1.txt Security: CVE-2006-0019
Diffstat (limited to 'x11/kdelibs3')
-rw-r--r--x11/kdelibs3/Makefile1
-rw-r--r--x11/kdelibs3/files/patch-post-3.4.3-kdelibs-kjs49
2 files changed, 50 insertions, 0 deletions
diff --git a/x11/kdelibs3/Makefile b/x11/kdelibs3/Makefile
index df549220c2ea..93d111217512 100644
--- a/x11/kdelibs3/Makefile
+++ b/x11/kdelibs3/Makefile
@@ -8,6 +8,7 @@
PORTNAME= kdelibs
PORTVERSION= ${KDE_VERSION}
+PORTREVISION= 1
CATEGORIES= x11 kde
MASTER_SITES= ${MASTER_SITE_KDE}
MASTER_SITE_SUBDIR= stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs3/files/patch-post-3.4.3-kdelibs-kjs b/x11/kdelibs3/files/patch-post-3.4.3-kdelibs-kjs
new file mode 100644
index 000000000000..998f389edfb1
--- /dev/null
+++ b/x11/kdelibs3/files/patch-post-3.4.3-kdelibs-kjs
@@ -0,0 +1,49 @@
+Index: kjs/function.cpp
+===================================================================
+--- kjs/function.cpp (revision 495921)
++++ kjs/function.cpp (working copy)
+@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri
+ }
+ else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
+
+- if (k == string.size()) {
++ // we need two chars
++ if (k + 1 >= string.size()) {
+ Object err = Error::create(exec,URIError);
+ exec->setException(err);
+ free(encbuf);
+@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri
+ }
+
+ k += 2;
++
++ if (decbufLen+2 >= decbufAlloc)
++ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
++
+ if ((B & 0x80) == 0) {
+ // Single-byte character
+ C = B;
+@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri
+ assert(n == 4);
+ unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
+ unsigned long vvvv = uuuuu-1;
++ if (vvvv > 0x0F) {
++ Object err = Error::create(exec,URIError);
++ exec->setException(err);
++ free(decbuf);
++ return UString();
++ }
+ unsigned long wwww = octets[1] & 0x0F;
+ unsigned long xx = (octets[2] >> 4) & 0x03;
+ unsigned long yyyy = octets[2] & 0x0F;
+@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri
+ }
+
+ if (reservedSet.find(C) < 0) {
+- if (decbufLen+1 >= decbufAlloc)
+- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+- decbuf[decbufLen++] = C;
++ decbuf[decbufLen++] = C;
+ }
+ else {
+ while (decbufLen+k-start >= decbufAlloc)