Bug 145267

Summary: textarea bdo frameset crash
Product: [Applications] konqueror Reporter: Dirk Mueller <mueller>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED WORKSFORME    
Severity: crash CC: finex, james, maksim
Priority: NOR    
Version: 3.5   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: htmltokenizer.cpp.patch.diff

Description Dirk Mueller 2007-05-10 16:48:30 UTC 
Version:            (using KDE KDE 3.5.6)
Installed from:    Compiled From Sources

<textarea></button></textarea></br><bdo dir="">
 <pre><frameset>
 <a>

Online demo:

http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html
Comment 1 Dirk Mueller 2007-05-10 16:53:28 UTC 
#11 0xb7c85272 in khtml::RenderBlock::createLineBoxes (this=0x821ab08, 
    obj=0x821ac10)
    at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:644
#12 0xb7c862e1 in khtml::RenderBlock::constructLine (this=0x821ab08, 
    end=@0xbfc4e038)
Comment 2 Maksim Orlovich 2007-05-10 18:38:05 UTC 
Slightly simpler TC:
<textarea>text</textarea><br><span style="unicode-bidi:embed">
<pre><frameset>

BTW, should continuations for inlines be inlines?
Comment 3 patch_linams 2007-07-29 15:37:27 UTC 
Created attachment 21286 [details]
htmltokenizer.cpp.patch.diff

This is an interesting one: konqueror doesn't seem to like white chars before
"pre" start tag when there are no non-white chars before it.

In the attachment is the patch which should fix this. It's a first try and
needs testing with other possible tags (not only "span" and "bdo") according to
their text formatting behavior (whether they interpret white chars or not).

Give it a try )
Comment 4 Dirk Mueller 2007-08-02 15:19:11 UTC 
I don't think working around this in the tokenizer is the right solution. the parser is getting confused because of the <frameset>, and the body replacement by a frameset is causing the error.
Comment 5 patch_linams 2007-08-03 12:53:38 UTC 
Actually, I don't think you're right. It can have nothing to do with a <frameset>. Here is an example:

<br>
<bdo dir="">
<pre>

<

When unpatched Konqueror will crash which means a <frameset> doesn't matter at all (and it is the same test case as yours). I don't see the patch as a workaround 'cause it's the default behavior anyway as far as I know (those white chars don't get interpreted). And take a look at the code: e.g. when <pre> is found a LFDiscard is applied.

But if you have a better solution we are open for discussion, of course :-)
Comment 6 FiNeX 2008-04-21 00:35:09 UTC 
konqueror 4 (trunk) doesn't crash with the testcase.
Comment 7 James Spahlinger 2008-04-21 14:01:45 UTC 
no crash in 3.5.9 either. closing.