From 89cfde63b8a29b6513d65cfb0f16b2b210257063 Mon Sep 17 00:00:00 2001
From: Francois Andriot <francois.andriot@free.fr>
Date: Sat, 1 Jun 2013 18:12:53 +0200
Subject: Fix possible DOS in konqueror (CVE-2009-2537)

---
 tdehtml/ecma/kjs_html.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'tdehtml')

diff --git a/tdehtml/ecma/kjs_html.cpp b/tdehtml/ecma/kjs_html.cpp
index abd059e75..83de94612 100644
--- a/tdehtml/ecma/kjs_html.cpp
+++ b/tdehtml/ecma/kjs_html.cpp
@@ -62,6 +62,9 @@
 
 #include <kdebug.h>
 
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
 namespace KJS {
 
 KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
@@ -2550,8 +2553,14 @@ void KJS::HTMLElement::putValueProperty(ExecState *exec, int token, const Value&
       case SelectValue:           { select.setValue(str); return; }
       case SelectLength:          { // read-only according to the NS spec, but webpages need it writeable
                                          Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
-                                         if ( coll.isValid() )
-                                           coll.put(exec,"length",value);
+                                         if ( coll.isValid() ) {
+                                           if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
+                                             Object err = Error::create(exec, RangeError);
+                                             exec->setException(err);
+                                           } else {
+                                             coll.put(exec, "length", value);
+                                           }
+                                         }
                                          return;
                                        }
       // read-only: form
-- 
cgit v1.2.1