Re: Bug: Possible dangling pointer in istack.c from Dave Raggett on 2000-08-07 (html-tidy@w3.org from July to September 2000)

From: Dave Raggett <dsr@w3.org>
Date: Mon, 7 Aug 2000 16:13:10 +0100 (GMT Daylight Time)
To: Randy Waki <rwaki@flipdog.com>
cc: html-tidy@w3.org
Message-ID: <Pine.WNT.4.10.10008071612410.-557727@hazel.hpl.hp.com>

On Mon, 7 Aug 2000, Randy Waki wrote:

> I think I've discovered a dangling pointer bug in istack.c.  
> When PopInLine() in istack.c pops the stack, it fails to check
> if lexer->insert is pointing past the new end of stack.  This
> can cause a subsequent call to InsertedToken() to dereference
> the bogus lexer->insert.
> 
> The fix is in the last if statement of PopInLine(), where the
> stack is popped: if lexer->insert points past the end of the
> stack, set it to null. (It's possible a similar check needs to
> be performed just above, too.)

Thanks for the bug fix and example code.

Regards,

-- Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
tel/fax: +44 122 578 3011 (or 2521) +44 778 532 0444 (mobile)
World Wide Web Consortium (on assignment from HP Labs)

Received on Monday, 7 August 2000 11:13:24 UTC