# HG changeset patch
# User Deepak Bhole <dbhole@redhat.com>
# Date 1351785047 14400
# Node ID e7970f3da5fee90156c090119d4e667bdbbc64ae
# Parent  11c61503e614b32349397f467b8bc4d313d41556
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet

diff -r 11c61503e614 -r e7970f3da5fe ChangeLog
--- a/ChangeLog	Mon Sep 17 16:40:25 2012 -0400
+++ b/ChangeLog	Thu Nov 01 11:50:47 2012 -0400
@@ -1,3 +1,10 @@
+2012-11-01  Deepak Bhole <dbhole@redhat.com>
+
+	CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event
+	attached to applet
+	* plugin/icedteanp/IcedTeaScriptablePluginObject.cc: Removed unnecessary
+	heap allocations.
+
 2012-09-17  Deepak Bhole <dbhole@redhat.com>
 
 	PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
diff -r 11c61503e614 -r e7970f3da5fe NEWS
--- a/NEWS	Mon Sep 17 16:40:25 2012 -0400
+++ b/NEWS	Thu Nov 01 11:50:47 2012 -0400
@@ -9,6 +9,8 @@
 CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
 New in release 1.3.1 (2012-XX-XX):
+* Security Updates
+  - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
 
 New in release 1.3 (2012-09-04):
 * Security updates
diff -r 11c61503e614 -r e7970f3da5fe plugin/icedteanp/IcedTeaScriptablePluginObject.cc
--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Mon Sep 17 16:40:25 2012 -0400
+++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Thu Nov 01 11:50:47 2012 -0400
@@ -591,10 +591,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }
 
@@ -853,11 +850,7 @@
         createJavaObjectFromVariant(instance, args[i], &id);
         if (id == "0")
         {
-            // error message must be allocated on heap
-            char* error_msg = (char*) malloc(1024*sizeof(char));
-            strcpy(error_msg, "Unable to create argument on Java side");
-
-            browser_functions.setexception(npobj, error_msg);
+            browser_functions.setexception(npobj, "Unable to create argument on Java side");
             return false;
         }
 
@@ -871,12 +864,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        int length = java_result->error_msg->length();
-        char* error_msg = (char*) malloc((length+1)*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }