GNOME Bugzilla – Bug 94415
cssmatcher seg fault
Last modified: 2009-08-15 18:40:50 UTC
In initializing the variable `type', css_matcher_apply_rule dereferences parent_style when it's NULL. I note from cvs that the initialization was introduced to avert an `uninitialized variable' compiler warning: HTML_TEXT_ALIGN_DEFAULT (= 0) is more innocuous. diff -u cssmatcher.c.orig cssmatcher.c --- cssmatcher.c.orig Tue Aug 6 18:11:57 2002 +++ cssmatcher.c Sat Sep 28 07:45:46 2002 @@ -1270,7 +1270,7 @@ break; case HTML_ATOM_TEXT_ALIGN: { - HtmlTextAlignType type = parent_style->inherited->text_align; + HtmlTextAlignType type = HTML_TEXT_ALIGN_DEFAULT; switch (val->v.atom) { case HTML_ATOM_INHERIT: type = parent_style->inherited->text_align;
DO you have a test case that cuase the current code to seg fault?
Not a simple one. Balsa (http://balsa.gnome.org/) is linked against gtkhtml2, and certain html messages (typically spam!) crash it. One such *really* bugged me that day, so I gdb'd it and found this problem, but I discarded the stack trace--sorry! (I also finally managed to delete the spam.) The issue is that in css_matcher_apply_rule, parent_style is dereferenced only in contexts where val->v.atom == HTML_ATOM_INHERIT, and there's a test near the start that protects against the seg-fault--except for the one case reported in this bug, where it's used to initialize a variable *outside* the appropriate case in the switch.
Patch committed to HEAD
Thanks for taking care of this!