[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] broken detection of empty <select> (coredumps)
From: |
Al Viro |
Subject: |
[Lynx-dev] broken detection of empty <select> (coredumps) |
Date: |
Mon, 17 Jan 2005 03:55:45 +0000 |
User-agent: |
Mutt/1.4.1i |
Trimmed-down testcase on ftp://ftp.linux.org.uk/pub/people/viro/lynx-bug.html,
both 2.8.5rel1 and current coredump on that.
AFAICS, what happens is that sanity checks in HText_setLastOptionValue()
that would normally bail out on seeing a select with no options (
if (!(value
&& text
&& text->last_anchor
&& text->last_anchor->link_type == INPUT_ANCHOR)) {
CTRACE((tfp, "HText_setLastOptionValue: invalid call! value:%s!\n",
(value ? value : "<NULL>")));
return NULL;
}
)
get confused if we already had a non-empty select - text->last_anchor is
already non-NULL, text->last_anchor->link_type is INPUT_ANCHOR, so we go
ahead and end up with a segfault in
/*
* Return the selected Option value to be sent to the screen.
*/
if (order == LAST_ORDER) {
/*
* Change the value.
*/
text->last_anchor->input_field->size =
strlen(HTCurSelectedOptionValue);
ret_Value = HTCurSelectedOptionValue;
}
later on - strlen(NULL) is not a nice thing to do...
PS: original had <select ...><script ...>...</script></select> instead of
empty select; segfaults the same way, obviously...
- [Lynx-dev] broken detection of empty <select> (coredumps),
Al Viro <=