Opened 4 years ago

Closed 4 years ago

#12812 closed defect (fixed)

wxHTMLParser causes crash

Reported by: roberthoffmann Owned by:
Priority: normal Milestone:
Component: wxHtml Version: stable-latest
Keywords: wxHtmlParser assertion failed Cc:
Blocked By: Blocking:
Patch: yes



wxHTMLParser is quite picky on incorrect HTML code. In debug mode, it shows this, when loading a page where a tag like this is present:
<font size="">

"Debug Assertion failed!
Program: ...test.exe
File: C:\Program Files\Microsoft Visual Studio 9.0\vc\include\xstring
Line: 112

Expression: string iterator not dereferencable

You can reproduce this when you change a sample HTML-page in the html/test directory (I used regres.htm). Replace <font size="+2"> with <font size=""> , run the test sample and click on "some wxHTML regression tests"

With wxWidgets 2.8.11 there is no such problem.

My configuration:
Windows 7, Visual C++ 2008 Express, wxWidgets 2.9-svn

The stack trace:
test.exe!std::_String_const_iterator<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::operator*() Zeile 112 + 0x12 Bytes C++

test.exe!wxStringOperationsWchar::DecodeChar(const std::_String_const_iterator<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & i=0x002de13c "") Zeile 53 + 0xb Bytes C++
test.exe!wxString::at(unsigned int n=0) Zeile 1554 + 0x78 Bytes C++
test.exe!wxString::GetChar(unsigned int n=0) Zeile 1556 + 0x17 Bytes C++
test.exe!wxHTML_Handler_FONT::HandleTag(const wxHtmlTag & tag={...}) Zeile 55 + 0x56 Bytes C++
test.exe!wxHtmlParser::AddTag(const wxHtmlTag & tag={...}) Zeile 316 + 0x1f Bytes C++
test.exe!wxHtmlParser::DoParsing(const wxString::const_iterator & begin_pos_={...}, const wxString::const_iterator & end_pos={...}) Zeile 302 C++



Attachments (1)

update.diff download (664 bytes) - added by snowleopard2 4 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 4 years ago by snowleopard2

It's line 55 of src\html\m_fonts.cpp that's the culprit:

wxChar c = tag.GetParam(wxT("SIZE")).GetChar(0);

"GetChar()" is being called without checking the length of the string first. I'll submit a patch for this tonight...

Changed 4 years ago by snowleopard2

comment:2 Changed 4 years ago by snowleopard2

  • Patch set

Attached patch to fix the crash (added a check for the SIZE parameter's length before parsing it).

comment:3 Changed 4 years ago by vadz

  • Status changed from new to confirmed

I think a simpler/better fix is to just avoid looking at the sign unless we have a number at all, I'll commit this soon.

comment:4 Changed 4 years ago by VZ

  • Resolution set to fixed
  • Status changed from confirmed to closed

(In [66492]) Don't crash on malformed HTML in wxHTML font tag handler.

Don't try to access the first character of the size parameter value before we
are sure that it is not empty.

Closes #12812.

Note: See TracTickets for help on using tickets.