W3C home > Mailing lists > Public > html-tidy@w3.org > July to September 2000

Bug: Possible dangling pointer in istack.c

From: Randy Waki <rwaki@flipdog.com>
Date: Mon, 7 Aug 2000 00:08:10 -0600
To: <html-tidy@w3.org>, <dsr@w3.org>
Message-ID: <000001c00035$dd045810$51eee13f@rwaki>
I think I've discovered a dangling pointer bug in istack.c.  When
PopInLine() in istack.c pops the stack, it fails to check if lexer->insert
is pointing past the new end of stack.  This can cause a subsequent call
to InsertedToken() to dereference the bogus lexer->insert.

The fix is in the last if statement of PopInLine(), where the stack is
popped: if lexer->insert points past the end of the stack, set it to null.
(It's possible a similar check needs to be performed just above, too.)

The following document should cause this condition to occur.  I could not
see any outward symptoms on Windows NT but it should be simple to see in a
debugger.  I don't have a C compiler/debugger, so I can't verify this
firsthand or provide the C code for the fix.

However, I've seen this occur in JTidy using a Java debugger.  The JTidy
equivalent to the fix described above seems to work.  Also, I think this
is the cause of a previously reported ArrayOutOfBounds exception in JTidy:

   http://lists.w3.org/Archives/Public/html-tidy/2000AprJun/0155.html

------------------------ Example HTML document ---------------------------
<html>
<head><title>x</title></head>
<body>
<dl>
<dd><i>abc</dd></i>
</dl>
</body>
</html>
--------------------------------------------------------------------------

Thanks,
Randy
Received on Monday, 7 August 2000 02:09:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 April 2012 06:13:44 GMT