Tidy inline stack bug from Andy Quick on 2000-03-24 (html-tidy@w3.org from January to March 2000)

From: Andy Quick <ac.quick@sympatico.ca>
Date: Fri, 24 Mar 2000 11:47:54 -0600
To: <html-tidy@w3.org>
Message-ID: <OFE1F7ABB2.A05B2CAA-ON862568A2.000BB7C1@rfdinc.com>

I got a bug report with Java tidy that applies to C tidy
as well.  I spent some time arriving at a small test
case that shows the problem, but it's a little beyond
me right now as to how to fix it.

It appears that tidy tries to return a node from an
empty inline stack.  C tidy doesn't actually GPF, it
just reads unallocated memory.  Java tidy throws an
exception when accessing a 0-sized vector.

If you put the lines marked with * into the function
InsertedToken in istack.c, you will see the message
"0-size istack" printed as tidy parses the example
(illegal) HTML file below.

Regards,

Andy Quick
---- from InsertedToken(Lexer *lexer) ----
    node = NewNode();
    node->type = StartTag;
    node->implicit = yes;
    node->start = lexer->txtstart;
    node->end = lexer->txtstart;
    istack = lexer->insert;
*   if (lexer->istacksize == 0)
*       tidy_out(lexer->errout, "0-size istack!\n");
    node->element = wstrdup(istack->element);    node->attributes = DupAttrs(istack->attributes);
---- HTML test case -----
<HTML>
<HEAD>
<TITLE></TITLE><BODY>

<DL>
<EM>
<DD>blah</DD></DL>

</BODY>
</HTML>

Received on Friday, 24 March 2000 14:13:49 UTC