Re: Bug: Possible dangling pointer in istack.c

At 12:08 AM -0600 8/7/2000, Randy Waki wrote:
>I think I've discovered a dangling pointer bug in istack.c.  When
>PopInLine() in istack.c pops the stack, it fails to check if lexer->insert
>is pointing past the new end of stack.  This can cause a subsequent call
>to InsertedToken() to dereference the bogus lexer->insert.
>
>The fix is in the last if statement of PopInLine(), where the stack is
>popped: if lexer->insert points past the end of the stack, set it to null.
>(It's possible a similar check needs to be performed just above, too.)
>
>The following document should cause this condition to occur.  I could not
>see any outward symptoms on Windows NT but it should be simple to see in a
>debugger.  I don't have a C compiler/debugger, so I can't verify this
>firsthand or provide the C code for the fix.
>
>However, I've seen this occur in JTidy using a Java debugger.  The JTidy
>equivalent to the fix described above seems to work.  Also, I think this
>is the cause of a previously reported ArrayOutOfBounds exception in JTidy:
>
>   http://lists.w3.org/Archives/Public/html-tidy/2000AprJun/0155.html
>
>------------------------ Example HTML document ---------------------------
><html>
><head><title>x</title></head>
><body>
><dl>
><dd><i>abc</dd></i>
></dl>
></body>
></html>
>--------------------------------------------------------------------------

Yes, it looks like you are right. Andy Quick supplied a "fix" over a year
ago, that I applied to my code, but had never seen the effect of this "fix"
until your example.

Specifically, Andy added the following lines at line 204 (04 Aug 00
version) of istack.c in function InsertedToken() :

    if (lexer->istacksize == 0)	/* Andy Quick 13 Jun 99 */
        tidy_out(lexer->errout, "0-size istack!\n");

I have yet to verify your suggested fix.

Regards, Terry

Received on Monday, 7 August 2000 03:52:47 UTC