Mercurial > hg > release > icedtea-web-1.2

changeset 370:596a718be03f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
author Deepak Bhole <dbhole@redhat.com>
date Thu, 01 Nov 2012 11:50:47 -0400
parents f6cdd8639a8d
children 8253e1b5b996
files ChangeLog NEWS plugin/icedteanp/IcedTeaScriptablePluginObject.cc
diffstat 3 files changed, 12 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Tue Aug 07 10:59:11 2012 -0400
+++ b/ChangeLog	Thu Nov 01 11:50:47 2012 -0400
@@ -1,3 +1,10 @@
+2012-11-01  Deepak Bhole <dbhole@redhat.com>
+
+	CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event
+	attached to applet
+	* plugin/icedteanp/IcedTeaScriptablePluginObject.cc: Removed unnecessary
+	heap allocations.
+
 2012-08-07  Adam Domurad  <adomurad@redhat.com>
 
 	Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
--- a/NEWS	Tue Aug 07 10:59:11 2012 -0400
+++ b/NEWS	Thu Nov 01 11:50:47 2012 -0400
@@ -9,6 +9,8 @@
 CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
 New in release 1.2.2 (2012-XX-XX):
+* Security Updates
+  - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
 * Plugin
   - PR1106: Buffer overflow in plugin table
 
--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Tue Aug 07 10:59:11 2012 -0400
+++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Thu Nov 01 11:50:47 2012 -0400
@@ -591,10 +591,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }
 
@@ -853,11 +850,7 @@
         createJavaObjectFromVariant(instance, args[i], &id);
         if (id == "0")
         {
-            // error message must be allocated on heap
-            char* error_msg = (char*) malloc(1024*sizeof(char));
-            strcpy(error_msg, "Unable to create argument on Java side");
-
-            browser_functions.setexception(npobj, error_msg);
+            browser_functions.setexception(npobj, "Unable to create argument on Java side");
             return false;
         }
 
@@ -871,12 +864,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        int length = java_result->error_msg->length();
-        char* error_msg = (char*) malloc((length+1)*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }