<html> <title>Selection Bug</title> <body> <table> <tr><td><!-- empty cell --></td></tr> <tr><td> Select beyond the end of the text and Dillo segfaults. </td></tr> <!-- missing </table> --> </body> </html> <!-- (gdb) bt 2 #0 Selection_correct_char_pos (it=0x0, char_pos=0) at selection.c:405 #1 0x080686a6 in Selection_adjust_selection (selection=0x80dcf70, it=0x80e5ce0, char_pos=0) at selection.c:335 (More stack frames follow...) (gdb) list selection.c:335 330 DwExtIterator *new_to; 331 gint new_to_char, cmp_old, cmp_new, cmp_diff, len; 332 gboolean brute_highlighting = FALSE; 333 334 new_to = a_Dw_ext_iterator_new_variant (selection->to, it); 335 new_to_char = Selection_correct_char_pos (new_to, char_pos); 336 337 cmp_old = a_Dw_ext_iterator_compare (selection->to, selection->from);338 cmp_new = a_Dw_ext_iterator_compare (new_to, selection->from); 339 I see 3 possible attacks on this one: 1. Add a check for NULL on the return value of a_Dw_ext_iterator_new_variant(). 2. Do that special empty DwExtIterator idea you mentioned. 3. Make html.c clean up the <table> tag better. The missing closer probably shouldn't make a difference in this example, but the segfault only happens if the closer is missing. Cheers, Joe Crayne -->