Bug 126268 – Broken HTML freezes konqueror

Bug 126268:

Broken HTML freezes konqueror

Alias:
Product:	konqueror
Component:	khtml parsing
Status:	RESOLVED
Resolution:	FIXED
Target:	---

Version:	unspecified
Priority:	NOR
Severity:	normal

Votes:

Description From Dima Ryazanov 2006-04-26 03:14:42

Version:            (using KDE KDE 3.5.2)
Installed from:    Compiled From Sources
Compiler:          gcc version 4.0.3 (Gentoo 4.0.3, pie-8.7.8) 
OS:                Linux

The following code causes Konqueror to freeze:

<html>
 <body>
  <b><label>Text<p></label></b>
  <b><label>Text</label></b>
 </body>
</html>

(Mostly because of the <p> inside the <label>, I think.)

It freezes in htmlparses.cpp, line 271:

    while(forbiddenTag[t->tid]) {
#ifdef PARSER_DEBUG
        kdDebug( 6035 ) << "t->id: " << t->tid << " is forbidden :-( " << endl;
#endif
        popOneBlock();
    }


Backtrace:

#1  0xb6ec5244 in khtml::KHTMLParser::parseToken (this=0x834bad0, t=0x8343a84) at htmlparser.cpp:275
#2  0xb6ec546f in khtml::HTMLTokenizer::processToken (this=0x8343a50) at htmltokenizer.cpp:1666
#3  0xb6ec933e in khtml::HTMLTokenizer::parseTag (this=0x8343a50, src=@0x8343f6c) at htmltokenizer.cpp:1166
#4  0xb6ec9a44 in khtml::HTMLTokenizer::write (this=0x8343a50, str=@0xbfe71048, appendData=true) at htmltokenizer.cpp:1425
#5  0xb6e2d808 in KHTMLPart::write (this=0x8317bc8,
    str=0x83314f8 "<html>\n <body>\n  <b><label>Text<p></label></b>\n  <b><label>Text</label></b>\n </body>\n</html>\na",
    len=93) at khtml_part.cpp:1980
#6  0xb6e2eae8 in KHTMLPart::slotData (this=0x8317bc8, kio_job=0x8313948, data=@0xbfe715c8) at khtml_part.cpp:1662
#7  0xb6e4b844 in KHTMLPart::qt_invoke (this=0x8317bc8, _id=16, _o=0xbfe712b4) at khtml_part.moc:501
#8  0x42ae5939 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#9  0xb7af08c0 in KIO::TransferJob::data (this=0x8313948, t0=0x8313948, t1=@0xbfe715c8) at jobclasses.moc:993
#10 0xb7af0959 in KIO::TransferJob::slotData (this=0x8313948, _data=@0xbfe715c8) at job.cpp:906
#11 0xb7b179ee in KIO::TransferJob::qt_invoke (this=0x8313948, _id=18, _o=0xbfe713b8) at jobclasses.moc:1072
#12 0x42ae5939 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#13 0xb7aececb in KIO::SlaveInterface::data (this=0x8331620, t0=@0xbfe715c8) at slaveinterface.moc:194
#14 0xb7b2f923 in KIO::SlaveInterface::dispatch (this=0x8331620, _cmd=100, rawdata=@0xbfe715c8) at slaveinterface.cpp:234
#15 0xb7b15d0e in KIO::SlaveInterface::dispatch (this=0x8331620) at slaveinterface.cpp:173
#16 0xb7b0e54e in KIO::Slave::gotInput (this=0x8331620) at slave.cpp:300
#17 0xb7b14831 in KIO::Slave::qt_invoke (this=0x8331620, _id=4, _o=0xbfe716c4) at slave.moc:113
#18 0x42ae5939 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#19 0x42ae5f21 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3
#20 0x42e25210 in QSocketNotifier::activated () from /usr/qt/3/lib/libqt-mt.so.3
#21 0x42b0437f in QSocketNotifier::event () from /usr/qt/3/lib/libqt-mt.so.3
#22 0x42a8676a in QApplication::internalNotify () from /usr/qt/3/lib/libqt-mt.so.3
#23 0x42a871ef in QApplication::notify () from /usr/qt/3/lib/libqt-mt.so.3
#24 0xb757e550 in KApplication::notify (this=0xbfe71b94, receiver=0x82e2788, event=0xbfe71968) at kapplication.cpp:550
#25 0x42a7a59d in QEventLoop::activateSocketNotifiers () from /usr/qt/3/lib/libqt-mt.so.3
#26 0x42a35ac2 in QEventLoop::processEvents () from /usr/qt/3/lib/libqt-mt.so.3
#27 0x42a9cfc9 in QEventLoop::enterLoop () from /usr/qt/3/lib/libqt-mt.so.3
#28 0x42a9ceb6 in QEventLoop::exec () from /usr/qt/3/lib/libqt-mt.so.3
#29 0x42a860bf in QApplication::exec () from /usr/qt/3/lib/libqt-mt.so.3
#30 0xb7f307b0 in kdemain (argc=2, argv=0xbfe72084) at konq_main.cc:206
#31 0x08048742 in main (argc=2, argv=0xbfe72084) at konqueror.la.cc:2

------- Comment #1 From Dima Ryazanov 2006-04-26 03:15:48 -------

Created an attachment (id=15780) [details]
Testcase

------- Comment #2 From Philip Rodrigues 2006-04-27 11:12:23 -------

Same here on r531801

------- Comment #3 From Andreas Kling 2006-04-29 09:44:53 -------

SVN commit 535297 by kling:

Prevent an infinite loop in parseToken() when dealing with broken HTML.

BUG: 126268


 M  +1 -1      htmlparser.cpp  


--- branches/KDE/3.5/kdelibs/khtml/html/htmlparser.cpp #535296:535297
@@ -268,7 +268,7 @@
 
     // if this tag is forbidden inside the current context, pop
     // blocks until we are allowed to add it...
-    while(forbiddenTag[t->tid]) {
+    while(blockStack && forbiddenTag[t->tid]) {
 #ifdef PARSER_DEBUG
         kdDebug( 6035 ) << "t->id: " << t->tid << " is forbidden :-( " << endl;
 #endif

Platform:	Compiled Sources
OS:	Linux
Keywords:
URL:

People

Reporter:	Dima Ryazanov
Assigned To:	Konqueror Developers

Related actions

View Bug Activity

Format For Printing

Clone This Bug

Search for Duplicates

Note

You need to log in before you can comment on or make changes to this bug.

Attachments
Testcase (93 bytes, text/html) 2006-04-26 03:15, Dima Ryazanov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Depends on:
Blocks:
	Show dependency tree - Show dependency graph

Actions

Reports

My Account