Mercurial > hg > release > icedtea-web-1.4
changeset 753:82e007d8b05a
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
author | Jiri Vanek <jvanek@redhat.com> |
---|---|
date | Mon, 16 Sep 2013 10:10:13 +0200 |
parents | 508f65fc1135 |
children | 26d15dff70b2 |
files | ChangeLog NEWS plugin/icedteanp/IcedTeaScriptablePluginObject.cc |
diffstat | 3 files changed, 12 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Sep 11 00:00:00 2013 +0200 +++ b/ChangeLog Mon Sep 16 10:10:13 2013 +0200 @@ -1,3 +1,10 @@ +2013-09-16 Deepak Bhole <dbhole@redhat.com> + + CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event + attached to applet + * plugin/icedteanp/IcedTeaScriptablePluginObject.cc: Removed unnecessary + heap allocations. + 2013-09-11 Jacob Wisor <gitne@gmx.de> * netx/net/sourceforge/jnlp/controlpanel/TemporaryInternetFilesPanel.java:
--- a/NEWS Wed Sep 11 00:00:00 2013 +0200 +++ b/NEWS Mon Sep 16 10:10:13 2013 +0200 @@ -14,6 +14,8 @@ - PR1473 - javaws should not depend on name of local file * Plugin - PR854: Resizing an applet several times causes 100% CPU load +* Security Updates + - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet New in release 1.4 (2013-05-02): * Added cs localization
--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc Wed Sep 11 00:00:00 2013 +0200 +++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc Mon Sep 16 10:10:13 2013 +0200 @@ -591,10 +591,7 @@ if (java_result->error_occurred) { - // error message must be allocated on heap - char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char)); - strcpy(error_msg, java_result->error_msg->c_str()); - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, java_result->error_msg->c_str()); return false; } @@ -853,11 +850,7 @@ createJavaObjectFromVariant(instance, args[i], &id); if (id == "0") { - // error message must be allocated on heap - char* error_msg = (char*) malloc(1024*sizeof(char)); - strcpy(error_msg, "Unable to create argument on Java side"); - - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, "Unable to create argument on Java side"); return false; } @@ -871,12 +864,7 @@ if (java_result->error_occurred) { - // error message must be allocated on heap - int length = java_result->error_msg->length(); - char* error_msg = (char*) malloc((length+1)*sizeof(char)); - strcpy(error_msg, java_result->error_msg->c_str()); - - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, java_result->error_msg->c_str()); return false; }