[PATCH] 2 konqueror crashes with css "capitalize"

Andreas Hartmetz ahartmetz at gmail.com
Sun Aug 6 22:49:05 BST 2006


Hi!

I found 2 crashes in KHTML 3.5.4, introduced in revision  555985.
Both crashes are in the implementation of CSS capitalize in
khtml/rendering/render_text.cpp.

The first is an array index out of bounds error with CSS like {
content:""; } which generates a RenderText object RTobj with
RTobj->string()->length() == 0.
The second problem is with CSS like { content: open-quote } that
generates a RenderText RTobj with RTobj->string() == 0.

A patch for these two defects is included. It is quite ugly but big
changes to other code seem to be needed to make the situation less
ugly. You can call it a workaround, if you wish.

Another unrelated issue is that KHTML's CSS parser repeats the
previous element if it encounters an invalid element. carewolf found
out that it's the CSS parser's fault so thanks to him!
An example is { content:"blah", open-quote; } [note: according to the
specs CSS "content:" does not take a comma-separated list!] that leads
to an output of 'blahblah"'.

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: khtml-3.5.4-capitalize-crash-fix.diff
Type: text/x-diff
Size: 3822 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20060806/4d26aa66/attachment.diff>


More information about the kfm-devel mailing list