aboutsummaryrefslogtreecommitdiffstats
path: root/x11/kdelibs4
diff options
context:
space:
mode:
authorlofi <lofi@FreeBSD.org>2006-01-21 05:58:44 +0800
committerlofi <lofi@FreeBSD.org>2006-01-21 05:58:44 +0800
commit484d798e7335f47f88824e6434693d1cb39c27fa (patch)
tree8dce271b9f8baf7d96cee35318f7af40d12ac21d /x11/kdelibs4
parent5051edc79f14b3917712708c525f5f0f00cadd03 (diff)
downloadfreebsd-ports-gnome-484d798e7335f47f88824e6434693d1cb39c27fa.tar.gz
freebsd-ports-gnome-484d798e7335f47f88824e6434693d1cb39c27fa.tar.zst
freebsd-ports-gnome-484d798e7335f47f88824e6434693d1cb39c27fa.zip
Fix an incorrect bounds check in kjs, the JavaScript interpreter engine used
by Konqueror and other parts of KDE, that allowed a heap based buffer over- flow when decoding specially crafted UTF-8 encoded URI sequencesi. Possible impact included executing arbitrary code and crashing the web browser. Security: http://www.kde.org/info/security/advisory-20060119-1.txt Security: CVE-2006-0019
Diffstat (limited to 'x11/kdelibs4')
-rw-r--r--x11/kdelibs4/Makefile1
-rw-r--r--x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs49
2 files changed, 50 insertions, 0 deletions
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index df549220c2ea..93d111217512 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,6 +8,7 @@
PORTNAME= kdelibs
PORTVERSION= ${KDE_VERSION}
+PORTREVISION= 1
CATEGORIES= x11 kde
MASTER_SITES= ${MASTER_SITE_KDE}
MASTER_SITE_SUBDIR= stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs b/x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs
new file mode 100644
index 000000000000..998f389edfb1
--- /dev/null
+++ b/x11/kdelibs4/files/patch-post-3.4.3-kdelibs-kjs
@@ -0,0 +1,49 @@
+Index: kjs/function.cpp
+===================================================================
+--- kjs/function.cpp (revision 495921)
++++ kjs/function.cpp (working copy)
+@@ -77,7 +77,8 @@ UString encodeURI(ExecState *exec, UStri
+ }
+ else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
+
+- if (k == string.size()) {
++ // we need two chars
++ if (k + 1 >= string.size()) {
+ Object err = Error::create(exec,URIError);
+ exec->setException(err);
+ free(encbuf);
+@@ -197,6 +198,10 @@ UString decodeURI(ExecState *exec, UStri
+ }
+
+ k += 2;
++
++ if (decbufLen+2 >= decbufAlloc)
++ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
++
+ if ((B & 0x80) == 0) {
+ // Single-byte character
+ C = B;
+@@ -257,6 +262,12 @@ UString decodeURI(ExecState *exec, UStri
+ assert(n == 4);
+ unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
+ unsigned long vvvv = uuuuu-1;
++ if (vvvv > 0x0F) {
++ Object err = Error::create(exec,URIError);
++ exec->setException(err);
++ free(decbuf);
++ return UString();
++ }
+ unsigned long wwww = octets[1] & 0x0F;
+ unsigned long xx = (octets[2] >> 4) & 0x03;
+ unsigned long yyyy = octets[2] & 0x0F;
+@@ -270,9 +281,7 @@ UString decodeURI(ExecState *exec, UStri
+ }
+
+ if (reservedSet.find(C) < 0) {
+- if (decbufLen+1 >= decbufAlloc)
+- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+- decbuf[decbufLen++] = C;
++ decbuf[decbufLen++] = C;
+ }
+ else {
+ while (decbufLen+k-start >= decbufAlloc)