# HG changeset patch
# User Jiri Vanek <jvanek@redhat.com>
# Date 1379319013 -7200
# Node ID 82e007d8b05ab352086216cec4cac9a896af5635
# Parent  508f65fc113550e8314f97a04d88569de5418c40
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet

diff -r 508f65fc1135 -r 82e007d8b05a ChangeLog
--- a/ChangeLog	Wed Sep 11 00:00:00 2013 +0200
+++ b/ChangeLog	Mon Sep 16 10:10:13 2013 +0200
@@ -1,3 +1,10 @@
+2013-09-16  Deepak Bhole <dbhole@redhat.com>
+
+	CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event
+	attached to applet
+	* plugin/icedteanp/IcedTeaScriptablePluginObject.cc: Removed unnecessary
+	heap allocations.
+
 2013-09-11  Jacob Wisor  <gitne@gmx.de>
 
 	* netx/net/sourceforge/jnlp/controlpanel/TemporaryInternetFilesPanel.java:
diff -r 508f65fc1135 -r 82e007d8b05a NEWS
--- a/NEWS	Wed Sep 11 00:00:00 2013 +0200
+++ b/NEWS	Mon Sep 16 10:10:13 2013 +0200
@@ -14,6 +14,8 @@
   - PR1473 - javaws should not depend on name of local file
 * Plugin
   - PR854: Resizing an applet several times causes 100% CPU load
+* Security Updates
+  - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
 
 New in release 1.4 (2013-05-02):
 * Added cs localization
diff -r 508f65fc1135 -r 82e007d8b05a plugin/icedteanp/IcedTeaScriptablePluginObject.cc
--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Wed Sep 11 00:00:00 2013 +0200
+++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc	Mon Sep 16 10:10:13 2013 +0200
@@ -591,10 +591,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }
 
@@ -853,11 +850,7 @@
         createJavaObjectFromVariant(instance, args[i], &id);
         if (id == "0")
         {
-            // error message must be allocated on heap
-            char* error_msg = (char*) malloc(1024*sizeof(char));
-            strcpy(error_msg, "Unable to create argument on Java side");
-
-            browser_functions.setexception(npobj, error_msg);
+            browser_functions.setexception(npobj, "Unable to create argument on Java side");
             return false;
         }
 
@@ -871,12 +864,7 @@
 
     if (java_result->error_occurred)
     {
-        // error message must be allocated on heap
-        int length = java_result->error_msg->length();
-        char* error_msg = (char*) malloc((length+1)*sizeof(char));
-        strcpy(error_msg, java_result->error_msg->c_str());
-
-        browser_functions.setexception(npobj, error_msg);
+        browser_functions.setexception(npobj, java_result->error_msg->c_str());
         return false;
     }