[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] broken detection of empty <select> (coredumps)

From: Al Viro
Subject: [Lynx-dev] broken detection of empty <select> (coredumps)
Date: Mon, 17 Jan 2005 03:55:45 +0000
User-agent: Mutt/1.4.1i

Trimmed-down testcase on,
both 2.8.5rel1 and current coredump on that.

AFAICS, what happens is that sanity checks in HText_setLastOptionValue()
that would normally bail out on seeing a select with no options (
    if (!(value
          && text
          && text->last_anchor
          && text->last_anchor->link_type == INPUT_ANCHOR)) {
        CTRACE((tfp, "HText_setLastOptionValue: invalid call!  value:%s!\n",
                (value ? value : "<NULL>")));
        return NULL;
get confused if we already had a non-empty select - text->last_anchor is
already non-NULL, text->last_anchor->link_type is INPUT_ANCHOR, so we go
ahead and end up with a segfault in
         * Return the selected Option value to be sent to the screen.
        if (order == LAST_ORDER) {
             * Change the value.
            text->last_anchor->input_field->size =
            ret_Value = HTCurSelectedOptionValue;
later on - strlen(NULL) is not a nice thing to do...

PS: original had <select ...><script ...>...</script></select> instead of
empty select; segfaults the same way, obviously...

reply via email to

[Prev in Thread] Current Thread [Next in Thread]