On Sun, May 25, 2008 at 08:14:29PM +0200, Justus Winter wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jorge Arellano Cid wrote:
On Sun, May 25, 2008 at 01:12:38PM +0200, Justus Winter wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi :)
I was playing around with Michal Zalewskis html fuzzer 'mangle' trying to crash dillo and succeeded :).
Good.
It's no surprise because dillo2 needs a careful review of behaviour when facing strange/malicious values. Obviously this phase was procrastinated until basic functionality was completed.
For instance, most probably you'll get to crash dillo2 by passing it some negative values in attributes. The problem of being robust when parsing garbage or malicious code needs a general strategy.
Are you saying that it is too early to locate problems this way?
No! It was too early, now dillo2 has almost all dillo1 had and more. Now it's a good time. What I meant is that a general strategy for these cases is better than a case by case approach.
The process of finding problems using a fuzzer and generating minimal testcases that trigger the problem is mostly automatic and I could script the last bits that do require manual intervention with ease.
In case these bug reports are useful at this point, here is another one:
In file html.cc, function Html_tag_close_select:
int size = input->select->options->size ();
fails since input->select is NULL. The html fragment that triggers this fault is attached.
<HEAD><FORM><SELECT><TEXTAREA>
This is the same non-authorized element inside SELECT. It can be catched with the solution described in my last post. It'd be good to have the test cases. Go ahead. -- Cheers Jorge.-