diff options
| author | Jiri Vanek <[email protected]> | 2013-09-16 10:09:57 +0200 |
|---|---|---|
| committer | Jiri Vanek <[email protected]> | 2013-09-16 10:09:57 +0200 |
| commit | bba31a09cb46e559f61a9694a5dbcf1b89c1f938 (patch) | |
| tree | 00880ea48545553b204d82148243641c2fe52f26 /plugin | |
| parent | 46fda88be141665fcae20f55ff71febf3e849596 (diff) | |
CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
Diffstat (limited to 'plugin')
| -rw-r--r-- | plugin/icedteanp/IcedTeaScriptablePluginObject.cc | 18 |
1 files changed, 3 insertions, 15 deletions
diff --git a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc index d78fb2d..d594afa 100644 --- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc +++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc @@ -618,10 +618,7 @@ IcedTeaScriptableJavaObject::invoke(NPObject *npobj, NPIdentifier name_id, const if (java_result->error_occurred) { - // error message must be allocated on heap - char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char)); - strcpy(error_msg, java_result->error_msg->c_str()); - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, java_result->error_msg->c_str()); return false; } @@ -874,11 +871,7 @@ IcedTeaScriptableJavaObject::construct(NPObject *npobj, const NPVariant *args, u createJavaObjectFromVariant(instance, args[i], &id); if (id == "0") { - // error message must be allocated on heap - char* error_msg = (char*) malloc(1024*sizeof(char)); - strcpy(error_msg, "Unable to create argument on Java side"); - - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, "Unable to create argument on Java side"); return false; } @@ -892,12 +885,7 @@ IcedTeaScriptableJavaObject::construct(NPObject *npobj, const NPVariant *args, u if (java_result->error_occurred) { - // error message must be allocated on heap - int length = java_result->error_msg->length(); - char* error_msg = (char*) malloc((length+1)*sizeof(char)); - strcpy(error_msg, java_result->error_msg->c_str()); - - browser_functions.setexception(npobj, error_msg); + browser_functions.setexception(npobj, java_result->error_msg->c_str()); return false; } |