# HG changeset patch
# User Deepak Bhole <dbhole@redhat.com>
# Date 1351785047 14400
# Node ID d83a93e3dba552bcd24f5b6d791edf0ada8d663a
# Parent  b7d63cc06ec4d37d7fcf2862e71a8458d460b4e2
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet

diff -r b7d63cc06ec4 -r d83a93e3dba5 ChangeLog
--- a/ChangeLog	Tue Aug 07 10:51:27 2012 -0400
+++ b/ChangeLog	Thu Nov 01 11:50:47 2012 -0400
@@ -1,3 +1,10 @@
+2012-11-01  Deepak Bhole <dbhole@redhat.com>
+
+	CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event
+	attached to applet
+	* plugin/icedteanp/IcedTeaScriptablePluginObject.cc: Removed unnecessary
+	heap allocations.
+
 2012-08-07  Adam Domurad  <adomurad@redhat.com>
 
 	Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
diff -r b7d63cc06ec4 -r d83a93e3dba5 NEWS
--- a/NEWS	Tue Aug 07 10:51:27 2012 -0400
+++ b/NEWS	Thu Nov 01 11:50:47 2012 -0400
@@ -9,6 +9,8 @@
 CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
 New in release 1.1.7 (2012-XX-XX):
+* Security Updates
+  - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
 * Plugin
   - PR1106: Buffer overflow in plugin table
 
diff -r b7d63cc06ec4 -r d83a93e3dba5 plugin/icedteanp/IcedTeaScriptablePluginObject.cc
--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Tue Aug 07 10:51:27 2012 -0400
+++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Thu Nov 01 11:50:47 2012 -0400
@@ -591,10 +591,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }
 
@@ -853,11 +850,7 @@
         createJavaObjectFromVariant(instance, args[i], &id);
         if (id == "0")
         {
-            // error message must be allocated on heap
-            char* error_msg = (char*) malloc(1024*sizeof(char));
-            strcpy(error_msg, "Unable to create argument on Java side");
-
-            browser_functions.setexception(npobj, error_msg);
+            browser_functions.setexception(npobj, "Unable to create argument on Java side");
             return false;
         }
 
@@ -871,12 +864,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        int length = java_result->error_msg->length();
-        char* error_msg = (char*) malloc((length+1)*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }