bug 269095: crash on malformed html page that caused us to try to handle misplaced content while we were already handling misplaced content. r=jst sr=rbs

2025-02-03 12:35:58 +00:00 · 2004-11-13 06:37:43 +00:00 · 2004-11-13 06:37:43 +00:00 · b546721cb7
commit b546721cb7
parent a597cad46b
1 changed files with 20 additions and 6 deletions
--- a/parser/htmlparser/src/CNavDTD.cpp
+++ b/parser/htmlparser/src/CNavDTD.cpp
@ -120,7 +120,8 @@ static char gShowCRC;
 #define NS_DTD_FLAG_FRAMES_ENABLED         0x00000200
 #define NS_DTD_FLAG_ALTERNATE_CONTENT      0x00000400 // NOFRAMES, NOSCRIPT 
 #define NS_DTD_FLAG_MISPLACED_CONTENT      0x00000800
-#define NS_DTD_FLAG_STOP_PARSING           0x00001000
+#define NS_DTD_FLAG_IN_MISPLACED_CONTENT   0x00001000
+#define NS_DTD_FLAG_STOP_PARSING           0x00002000

 /**
 *  This method gets called as part of our COM-like interfaces.
@ -589,11 +590,14 @@ nsresult CNavDTD::DidBuildModel(nsresult anErrorCode,
      if (mFlags & NS_DTD_FLAG_MISPLACED_CONTENT) {
        // Looks like the misplaced contents are not processed yet.
        // Here is our last chance to handle the misplaced content.
-        mFlags &= ~NS_DTD_FLAG_MISPLACED_CONTENT; 
        
-        // mContextTopIndex refers to the misplaced content's legal parent index.
-        result = HandleSavedTokens(mBodyContext->mContextTopIndex);
-        NS_ENSURE_SUCCESS(result, result);
+        // Loop until we've really consumed all of our misplaced content.
+        do {
+          mFlags &= ~NS_DTD_FLAG_MISPLACED_CONTENT; 
+          // mContextTopIndex refers to the misplaced content's legal parent index.
+          result = HandleSavedTokens(mBodyContext->mContextTopIndex);
+          NS_ENSURE_SUCCESS(result, result);
+        } while (mFlags & NS_DTD_FLAG_MISPLACED_CONTENT);

        mBodyContext->mContextTopIndex = -1; 
      }          
@ -871,6 +875,13 @@ nsresult CNavDTD::HandleToken(CToken* aToken,nsIParser* aParser){
      static eHTMLTags gLegalElements[]={eHTMLTag_table,eHTMLTag_thead,eHTMLTag_tbody,
                                         eHTMLTag_tr,eHTMLTag_td,eHTMLTag_th,eHTMLTag_tfoot};
      if(theToken) {
+        // Don't even try processing misplaced tokens if we're already
+        // handling misplaced content. See bug 269095
+        if (mFlags & NS_DTD_FLAG_IN_MISPLACED_CONTENT) {
+          PushIntoMisplacedStack(theToken);
+          return result;  
+        }
+
        eHTMLTags theParentTag=mBodyContext->Last();
        theTag=(eHTMLTags)theToken->GetTypeID();
        if(FindTagInSet(theTag, gLegalElements,
@ -2100,7 +2111,8 @@ nsresult CNavDTD::HandleSavedTokens(PRInt32 anIndex) {
      PRInt32  theBadTokenCount   = mMisplacedContent.GetSize();

      if(theBadTokenCount > 0) {
-        
+        mFlags |= NS_DTD_FLAG_IN_MISPLACED_CONTENT;
+
        if(mTempContext==nsnull) mTempContext=new nsDTDContext();

        CToken*   theToken;
@ -2173,6 +2185,8 @@ nsresult CNavDTD::HandleSavedTokens(PRInt32 anIndex) {
        mSink->EndContext(anIndex);
        MOZ_TIMER_DEBUGLOG(("Start: Parse Time: CNavDTD::HandleSavedTokensAbove(), this=%p\n", this));
        START_TIMER()
+
+        mFlags &= ~NS_DTD_FLAG_IN_MISPLACED_CONTENT;
      }
    }
    return result;