Justus wrote:
I was playing around with Michal Zalewskis html fuzzer 'mangle' trying to crash dillo and succeeded :). Furthermore I was able to reduce the ~100k page that was triggering a NULL pointer dereferencing to three tags (see the attached page).
Some digging around (html.cc is a monster ^^) revealed that
style_attrs.setBorderColor ( Color::createShaded(HT2LT(html), style_attrs.backgroundColor->getColor()));
in Html_tag_open_table was failing due to the fact that style_attrs.backgroundColor was NULL.
Html_tag_open_select sets the backgroundColor to NULL and this is inherited by the table tag since it's a child of the select tag.
I doubt I realized you can try to put things like tables inside selects back when I wrote that. Maybe Jorge will know something easy and general that can be done based on parse modes to keep dillo from wasting its time calling things like Html_tag_open_table that aren't going to be displayed anyway, but the attached patch at least fixes the crash.
Greping through the code shows that there are at least two other functions that set backgroundColor (and color) to NULL (Html_tag_open_input and Html_tag_open_isindex) and twelve locations calling getColor() on either color or backgroundColor.
I think those are all right because they aren't allowed to contain anything, although, as I hinted above, my knowledge of the parsing code is not really detailed.
Furthermore I'd suggest to break down html.cc into several files. It is about 6000 lines long (-> hard to dig into) and it takes gcc roughly five seconds to compile on my box.
I'd like this as well.