Overview

File bnc512559-2009-1690.diff of Package kdelibs4

------------------------------------------------------------------------
r983316 | mueller | 2009-06-17 23:00:06 +0000 (Wed, 17 Jun 2009) | 2 lines
Changed paths:
   M /branches/KDE/4.2/kdelibs/khtml/html/htmlparser.cpp
   M /branches/KDE/4.2/kdelibs/khtml/html/htmlparser.h

fix crash on <head> occuring twice (CVE-2009-1690)

------------------------------------------------------------------------
Index: branches/KDE/4.2/kdelibs/khtml/html/htmlparser.h
===================================================================
--- khtml/html/htmlparser.h	(revision 983315)
+++ khtml/html/htmlparser.h	(revision 983316)
@@ -157,7 +157,7 @@
     /*
      * the head element. Needed for crappy html which defines <base> after </head>
      */
-    DOM::HTMLHeadElementImpl *head;
+    RefPtr<DOM::HTMLHeadElementImpl> head;
 
     /*
      * a possible <isindex> element in the head. Compatibility hack for
Index: branches/KDE/4.2/kdelibs/khtml/html/htmlparser.cpp
===================================================================
--- khtml/html/htmlparser.cpp	(revision 983315)
+++ khtml/html/htmlparser.cpp	(revision 983316)
@@ -216,7 +216,6 @@
 
     form = 0;
     map = 0;
-    head = 0;
     end = false;
     isindex = 0;
 
@@ -678,8 +677,7 @@
             case ID_BASE:
                 if(!head) {
                     head = new HTMLHeadElementImpl(document);
-                    e = head;
-                    insertNode(e);
+                    insertNode(head.get());
                     handled = true;
                 }
                 break;
@@ -894,7 +892,7 @@
     case ID_HEAD:
         if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
             head = new HTMLHeadElementImpl(document);
-            n = head;
+            n = head.get();
         }
         break;
     case ID_BODY:
@@ -1907,19 +1905,19 @@
     head = new HTMLHeadElementImpl(document);
     HTMLElementImpl *body = doc()->body();
     int exceptioncode = 0;
-    doc()->documentElement()->insertBefore(head, body, exceptioncode);
+    doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
     if ( exceptioncode ) {
 #ifdef PARSER_DEBUG
         kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
 #endif
-        delete head;
+        delete head.get();
         head = 0;
     }
         
     // If the body does not exist yet, then the <head> should be pushed as the current block.
     if (head && !body) {
         pushBlock(head->id(), tagPriority(head->id()));
-        setCurrent(head);
+        setCurrent(head.get());
     }
 }
openSUSE Build Service is sponsored by
Places