- From: Randy Waki <rwaki@flipdog.com>
- Date: Mon, 7 Aug 2000 00:08:10 -0600
- To: <html-tidy@w3.org>, <dsr@w3.org>
I think I've discovered a dangling pointer bug in istack.c. When PopInLine() in istack.c pops the stack, it fails to check if lexer->insert is pointing past the new end of stack. This can cause a subsequent call to InsertedToken() to dereference the bogus lexer->insert. The fix is in the last if statement of PopInLine(), where the stack is popped: if lexer->insert points past the end of the stack, set it to null. (It's possible a similar check needs to be performed just above, too.) The following document should cause this condition to occur. I could not see any outward symptoms on Windows NT but it should be simple to see in a debugger. I don't have a C compiler/debugger, so I can't verify this firsthand or provide the C code for the fix. However, I've seen this occur in JTidy using a Java debugger. The JTidy equivalent to the fix described above seems to work. Also, I think this is the cause of a previously reported ArrayOutOfBounds exception in JTidy: http://lists.w3.org/Archives/Public/html-tidy/2000AprJun/0155.html ------------------------ Example HTML document --------------------------- <html> <head><title>x</title></head> <body> <dl> <dd><i>abc</dd></i> </dl> </body> </html> -------------------------------------------------------------------------- Thanks, Randy
Received on Monday, 7 August 2000 02:09:02 UTC