Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Gumbo: Fix the segfault that lcamtuf identified through fuzz-testing:
http://lcamtuf.coredump.cx/.smieci./gumbo_segv.small The problem occurred when a formatting element was opened, a <frameset> resulted in all nodes being popped off the <body>, and then a whitespace character followed the ending <html> tag. When the <body> is removed and replaced with the frameset, I destroy it to prevent a memory leak. Unfortunately this also frees the formatting element contained in it, but there are references still on the list of active formatting elements. When that list is reconstructed to add the whitespace character at the end of the <html>, the non-existent formatting nodes are cloned, causing a crash. The fix I'm doing is just to clear the list of active formatting elements when the <body> is replaced. This isn't quite in the spec, but this is enough of an edge case that I think the deviation is okay. This also fixes another bug where the ending </html> tag wasn't being properly recorded after framesets. ------------- Created by MOE: http://code.google.com/p/moe-java MOE_MIGRATED_REVID=57745367
- Loading branch information