I was getting crashes on the dFree(tok) in Html_parse_entity() on a page that I whittled down to: <html> <head> <title></title> </head> <body> <form> <select> <option>&Someword </select> </form> </body> </html> It turns out that strchr(":_.-", '\0') finds the null terminator in the string. diff -pur dillo2/src/html.cc dillo2-cur/src/html.cc --- dillo2/src/html.cc 2008-03-06 14:58:56.000000000 +0000 +++ dillo2-cur/src/html.cc 2008-03-07 05:46:52.000000000 +0000 @@ -1350,7 +1350,7 @@ static int Html_parse_entity(DilloHtml * } else if (isalpha(*s)) { /* character entity reference */ - while (isalnum(*++s) || strchr(":_.-", *s)); + while (*++s && (isalnum(*s) || strchr(":_.-", *s))); c = *s; *s = 0;