Mercurial > hg > release > icedtea-web-1.2
changeset 370:596a718be03f
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
author | Deepak Bhole <dbhole@redhat.com> |
---|---|
date | Thu, 01 Nov 2012 11:50:47 -0400 |
parents | f6cdd8639a8d |
children | 8253e1b5b996 |
files | ChangeLog NEWS plugin/icedteanp/IcedTeaScriptablePluginObject.cc |
diffstat | 3 files changed, 12 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Aug 07 10:59:11 2012 -0400 +++ b/ChangeLog Thu Nov 01 11:50:47 2012 -0400 @@ -1,3 +1,10 @@ +2012-11-01 Deepak Bhole <dbhole@redhat.com> + + CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event + attached to applet + * plugin/icedteanp/IcedTeaScriptablePluginObject.cc: Removed unnecessary + heap allocations. + 2012-08-07 Adam Domurad <adomurad@redhat.com> Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
--- a/NEWS Tue Aug 07 10:59:11 2012 -0400 +++ b/NEWS Thu Nov 01 11:50:47 2012 -0400 @@ -9,6 +9,8 @@ CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY New in release 1.2.2 (2012-XX-XX): +* Security Updates + - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet * Plugin - PR1106: Buffer overflow in plugin table
--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc Tue Aug 07 10:59:11 2012 -0400 +++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc Thu Nov 01 11:50:47 2012 -0400 @@ -591,10 +591,7 @@ if (java_result->error_occurred) { - // error message must be allocated on heap - char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char)); - strcpy(error_msg, java_result->error_msg->c_str()); - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, java_result->error_msg->c_str()); return false; } @@ -853,11 +850,7 @@ createJavaObjectFromVariant(instance, args[i], &id); if (id == "0") { - // error message must be allocated on heap - char* error_msg = (char*) malloc(1024*sizeof(char)); - strcpy(error_msg, "Unable to create argument on Java side"); - - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, "Unable to create argument on Java side"); return false; } @@ -871,12 +864,7 @@ if (java_result->error_occurred) { - // error message must be allocated on heap - int length = java_result->error_msg->length(); - char* error_msg = (char*) malloc((length+1)*sizeof(char)); - strcpy(error_msg, java_result->error_msg->c_str()); - - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, java_result->error_msg->c_str()); return false; }