Fwd: Re: Buffer Overflow with all versions of Internet Explorer and Javacript.

Koos Vriezen koos.vriezen at xs4all.nl
Tue Jun 4 19:12:04 BST 2002 

On Tue, 4 Jun 2002, Koos Vriezen wrote:
> On Tue, 4 Jun 2002, Harri Porten wrote:
> > The only limit that was and still is there is against too many recursive
> > calls to the interpreter (html event->js->html->js->...). I'll try to
> > think of something for internal recursions. But I wouldn't know what to
> > really do against infinite loops like while(1);. They can be by design and
> > harmless but there is no way to abort them, yet. Easier with threading.
>
> Maybe use SIGALARM?

Just a small hack that stops a 'while(true);' script after 5 seconds:

diff -u -3 -p -r1.8 interpreter.cpp
--- interpreter.cpp     2002/03/04 01:19:14     1.8
+++ interpreter.cpp     2002/06/04 18:06:15
@@ -359,8 +359,11 @@ Value ExecState::exception() const
   return rep->exception;
 }

+bool terminate_request = false;
 bool ExecState::hadException() const
 {
+  if (terminate_request)
+      rep->exception = Error::create((ExecState*)this);
   return !rep->exception.isNull();
 }
diff -u -3 -p -r1.75 kjs_proxy.cpp
--- ecma/kjs_proxy.cpp  2002/06/02 16:25:03     1.75
+++ ecma/kjs_proxy.cpp  2002/06/04 18:08:41
@@ -27,6 +27,8 @@
 #include <khtml_part.h>
 #include <kprotocolmanager.h>
 #include <kdebug.h>
+#include <unistd.h>
+#include <signal.h>

 using namespace KJS;

@@ -87,6 +89,11 @@ KJSProxyImpl::~KJSProxyImpl()
 #endif
 }

+extern bool terminate_request;
+void alarmHandler(int) {
+    terminate_request = true;
+}
+
 QVariant KJSProxyImpl::evaluate(QString filename, int baseLine,
                                 const QString&str, const DOM::Node &n) {
   // evaluate code. Returns the JS return value or an invalid QVariant
@@ -116,7 +123,11 @@ QVariant KJSProxyImpl::evaluate(QString
   KJS::Value thisNode = n.isNull() ? Window::retrieve( m_part ) :
getDOMNode(m_script->globalExec(),n);

   UString code( str );
+  terminate_request = false;
+  signal(SIGALRM, alarmHandler);
+  alarm(5);
   Completion comp = m_script->evaluate(code, thisNode);
+  alarm(0);
   bool success = ( comp.complType() == Normal ) || ( comp.complType() ==
ReturnValue );


alarmHandler should ask user to continue or terminate JS job.

Regards,

Koos

More information about the kfm-devel mailing list