Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash in a malformed <table>, with "Bad state: No element" #1078

Open
gnprice opened this issue Jul 26, 2023 · 0 comments
Open

Crash in a malformed <table>, with "Bad state: No element" #1078

gnprice opened this issue Jul 26, 2023 · 0 comments
Labels
package:html

Comments

@gnprice
Copy link

gnprice commented Jul 26, 2023

The following HTML causes the parser to crash:
\t<TABLE><<!>;<!><<!>.<lec><th>i><a><mat\x00\x01<mi\x00a><math>><th><mI>chardeta\xff\xff\xff\xff<><th><mI><||||||||A<select><>qu?\xbemath><th><mie>qu

Here's a stack trace (with package:html 0.15.4):

$ dart tmp.dart
Unhandled exception:
Bad state: No element
#0      ListBase.removeLast (dart:collection/list.dart:313:7)
dart-lang/html#1      TreeBuilder.clearActiveFormattingElements (package:html/src/treebuilder.dart:217:42)
dart-lang/html#2      InCellPhase.endTagTableCell (package:html/parser.dart:3172:12)
dart-lang/html#3      InCellPhase.closeCell (package:html/parser.dart:3128:7)
dart-lang/html#4      InCellPhase.startTagTableOther (package:html/parser.dart:3147:7)
dart-lang/html#5      InCellPhase.processStartTag (package:html/parser.dart:3092:16)
dart-lang/html#6      HtmlParser.mainLoop (package:html/parser.dart:310:37)
dart-lang/html#7      HtmlParser._parse (package:html/parser.dart:191:9)
dart-lang/html#8      HtmlParser.parseFragment (package:html/parser.dart:182:5)

From the stack, it looks like it's related to that table element and/or the th elements.

Here's a second HTML string causing the same crash (with the same stack trace):
y<framesetboheadrb$al>t<table><><t><th><math><th>u<\x0ch><mi><thx><TR>ind><<meta><i<isind<i\xff\xff\xff\xffex><select><<tr>i=ut\x00\x007>

I've included a self-contained test program at the end.

I obtained both of these test cases from html5lib/html5lib-python#568 , a bug report on the html5lib Python library which this library is described as a port of. They originate from Google's oss-fuzz project, as applied to the BeautifulSoup library (which uses html5lib).

There are several other fuzzer-produced test cases in that html5lib bug report, but I tried each of them against package:html, and these two are the only ones that crashed. The rest produced reasonable-looking output instead.

Test program:

import 'package:html/parser.dart';

void main() {
  final html = '\t<TABLE><<!>;<!><<!>.<lec><th>i><a><mat\x00\x01<mi\x00a><math>><th><mI>chardeta\xff\xff\xff\xff<><th><mI><||||||||A<select><>qu?\xbemath><th><mie>qu';
  // or: final html = r'y<framesetboheadrb$al>t<table><><t><th><math><th>u<\x0ch><mi><thx><TR>ind><<meta><i<isind<i\xff\xff\xff\xffex><select><<tr>i=ut\x00\x007>';
  final fragment = HtmlParser(html, parseMeta: false).parseFragment();
  print(fragment.nodes);
}
@mosuem mosuem transferred this issue from dart-lang/html Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
package:html
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gnprice @mosuem