limit the number of columns spanned, as a protection against suspicous html code, bug 86293, r=karnaze, sr=bzbarksy

2024-10-20 16:55:40 +00:00 · 2002-11-19 15:43:22 +00:00 · 2002-11-19 15:43:22 +00:00 · 72edc1148f
commit 72edc1148f
parent 3d0e97ae5b
1 changed files with 6 additions and 1 deletions
--- a/content/html/content/src/nsHTMLTableColElement.cpp
+++ b/content/html/content/src/nsHTMLTableColElement.cpp
@ -47,6 +47,10 @@
 #include "nsIPresContext.h"
 #include "nsRuleNode.h"

+// use the same protection as ancient code did 
+// http://lxr.mozilla.org/classic/source/lib/layout/laytable.c#46
+#define MAX_COLSPAN 1000
+
 class nsHTMLTableColElement : public nsGenericHTMLContainerElement,
                              public nsIDOMHTMLTableColElement,
                              public nsIHTMLTableColElement
@ -186,7 +190,8 @@ nsHTMLTableColElement::StringToAttribute(nsIAtom* aAttribute,
    }
  }
  else if (aAttribute == nsHTMLAtoms::span) {
-    if (ParseValue(aValue, 1, aResult, eHTMLUnit_Integer)) {
+    /* protection from unrealistic large colspan values */
+    if (ParseValue(aValue, 1, MAX_COLSPAN, aResult, eHTMLUnit_Integer)) {
      return NS_CONTENT_ATTR_HAS_VALUE;
    }
  }