275564 - Random characters appear in XML parser "mismatched text" error message

Status: RESOLVED FIXED

(Core :: XML, defect, P1)

Description

[Heinz Kohl]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041220
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041220

message "XML Parsing Error: mismatched tag. Expected:
</http://www.w3.org/1999/xhtml�script>. Line Number 181, Column 5: .." (reported 
A greater set of 
- entity definitions in conjunction with 
- script tags with file references
leading to "XML mismatched tag" message

text is sometimes showing random junk, e.g. out of Entity definitions)

looks like a buffer overrun error: vanishing, 
- when some Entity declarations killed or 
- scripts wirh external file references are killed

source using xhtml-math-svg/xhtml-math-svg.dtd

Reproducible: Always

Steps to Reproduce:
1. "Additional Information" is holding a nearly minimum XML file to reproduce
the error
2. start the file NotMismatched.xml (the file, checked with W3C so far as
possible, is not mismatched and - without SVG - running under firefox)
3. to disappear: take away first or last half of the Entities for greek
uppercase letters or (alternatively) all script tags with external references

Actual Results:  
I have to go back to build 2004112523
1. "XML mismatched tag" message, often with crazy additional messages
XML Parsing Error: mismatched tag. 
   "Expected: </http://www.w3.org/1999/xhtml�script>" etc.
2. some - maybe wrong - changes leading to crashes (automatically reported)
3. killing all script tags with references to files, a page is built up,
   also when changing the string in <html xmlns="http://www.w3.org/1999/xhtml"
xmlns:sv... 

Expected Results:  
A RESULT LIKE THAT SEEN BY FIREFOX or better (not SVG version)
builds up to 2004112523 were processing sufficiently, the SVG DOM acting as
expected.
Hoped to get marker functionality and have seen some - after killing all script
references.

<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<?xml-stylesheet href="http://www.w3.org/StyleSheets/TR/W3C-REC.css"
type="text/css"?>
<?xml-stylesheet href="St_sCADch.css" type="text/css"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0 plus SVG 1.1//EN"
"http://www.w3.org/2002/04/xhtml-math-svg/xhtml-math-svg.dtd" [ 
<!ENTITY abrasiveWork "&#x25BD;">
<!ENTITY aleph "&#x2135;">
<!ENTITY arc "&#x2312;">
<!ENTITY aroundProfile "&#x232E;">
<!ENTITY bowtie "&#x22C8;">
<!ENTITY button "&#x2751;">
<!ENTITY circle "&#x2299;">
<!ENTITY compose "&#x2384;">
<!ENTITY conical "&#x2332;">
<!ENTITY concentric "&#x233E;">
<!ENTITY copyright "&#x00A9;">
<!ENTITY counterBore "&#x2334;">
<!ENTITY counterSink "&#x2335;">
<!ENTITY curve "&#x219D;">
<!ENTITY cut "&#x2701;">
<!ENTITY cylindric "&#x232D;">
<!ENTITY degree "&#x02DA;">
<!ENTITY diameter "&#x2300;">
<!ENTITY dimension "&#x2194;">
<!ENTITY dimOrigin "&#x2331;">
<!ENTITY dot1u2 "&#x2234;">
<!ENTITY dot2u1 "&#x2235;">
<!ENTITY dot4 "&#x2237;">
<!ENTITY dot2 "&#x2236;">
<!ENTITY drillhole "&#x25D9;">
<!ENTITY drillthrough "&#x25CF;">
<!ENTITY eject "&#x23CF;">
<!ENTITY ellipse "&#x0298;">
<!ENTITY equalAndParallel "&#x22D5;">
<!ENTITY equiangular "&#x225A;">
<!ENTITY erase "&#x2326;">
<!ENTITY euro "&#x20AC;">
<!ENTITY hot "&#x2668;">
<!ENTITY identical "&#x2261;">
<!ENTITY kill "&#x2620;">
<!ENTITY leftOver "&#x21B6;">
<!ENTITY leftTurn "&#x21BA;">
<!ENTITY line "&#x2572;">
<!ENTITY lines "&#x2607;">
<!ENTITY linesB "&#x2319;">
<!ENTITY make "&#x2605;">
<!ENTITY matterLeft "&#x2345;">
<!ENTITY matterRight "&#x2346;">
<!ENTITY matterDown "&#x2356;">
<!ENTITY matterUp "&#x234F;">
<!ENTITY mail "&#x2709;">
<!ENTITY mesh "&#x2317;">
<!ENTITY midLines "&#x2388;">
<!ENTITY minusPlus "&#x2213;">
<!ENTITY nearly "&#x2248;">
<!ENTITY norm "&#x2016;">
<!ENTITY notes "&#x207E;">
<!ENTITY Ohm "&#x2126;">
<!ENTITY paragraph "&#x00B6;">
<!ENTITY perp "&#8869;">
<!ENTITY plusMinus "&#x00B1;">
<!ENTITY point "&#x2316;">
<!ENTITY polyline "&#x2608;">
<!ENTITY polygon "&#x2302;">
<!ENTITY proportional "&#x223C;">
<!ENTITY rarr "&#8594;">
<!ENTITY return "&#x23CE;">
<!ENTITY rightAngle "&#x22BE;">
<!ENTITY rightOver " &#x21B7;">
<!ENTITY rightTurn " &#x21BB;">
<!ENTITY save "&#x2707;">
<!ENTITY sector "&#x2314;">
<!ENTITY segment "&#x2313;">
<!ENTITY slope "&#x2333;">
<!ENTITY symmCross "&#x271C;">
<!ENTITY symmetric "&#x232F;">
<!ENTITY text "&#x2328;">
<!ENTITY totalRunout "&#x2330;">
<!ENTITY undo "&#x238C;">
<!ENTITY waste "&#x2672;">
<!ENTITY wavyLine "&#x2307;">

<!ENTITY warning "&#x26A0;">

<!ENTITY alpha "&#x0251;">
<!ENTITY beta "&#x03B2;">
<!ENTITY gamma "&#x0263;">
<!ENTITY delta "&#x03B4;">
<!ENTITY epsilon "&#x03B5;">
<!ENTITY zeta "&#x03B6;">
<!ENTITY eta "&#x03B7;">
<!ENTITY theta "&#x03B8;">
<!ENTITY kappa "&#x03BA;">
<!ENTITY lambda "&#x03BB;">
<!ENTITY mu "&#x03BC;">
<!ENTITY nu "&#x03BD;">
<!ENTITY xi "&#x03BE;">
<!ENTITY omicron "&#x03BF;">
<!ENTITY pi "&#x03C0;">
<!ENTITY plane "&#x03B5;">
<!ENTITY rho "&#x03C1;">
<!ENTITY sigma "&#x03C3;">
<!ENTITY tau "&#x03C4;">
<!ENTITY upsilon "&#x03C5;">
<!ENTITY phi "&#x03C6;">
<!ENTITY chi "&#x03C7;">
<!ENTITY psi "&#x03C8;">
<!ENTITY omega "&#x03C9;">
<!ENTITY increment "&#x2206;">

<!ENTITY Alpha "&#x0391;">
<!ENTITY Beta "&#x0392;">
<!ENTITY Gamma "&#x0393;">
<!ENTITY Delta "&#x0394;">
<!ENTITY Epsilon "&#x0395;">
<!ENTITY Zeta "&#x0396;">
<!ENTITY Eta "&#x0397;">
<!ENTITY Theta "&#x0398;">
<!ENTITY Kappa "&#x039A;">
<!ENTITY Lambda "&#x039B;">

<!ENTITY Mu "&#x039C;">
<!ENTITY Nu "&#x039D;">
<!ENTITY Xi "&#x039E;">
<!ENTITY Omicron "&#x039F;">
<!ENTITY Pi "&#x03A0;">
<!ENTITY Rho "&#x03A1;">
<!ENTITY Sigma "&#x03A3;">
<!ENTITY Tau "&#x03A4;">
<!ENTITY Upsilon "&#x03A5;">
<!ENTITY Phi "&#x3A6;">
<!ENTITY Chi "&#x03A7;">
<!ENTITY Psi "&#x03A8;">
<!ENTITY Omega "&#x03A9;">

]>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:xlink="http://www.w3.org/1999/xlink">
  <head>
  <title>sCADch</title>

  <script type="text/javascript" src="Basic_sCADch.js"/>
  <script type="text/javascript" src="Basic1_sCADch.js"></script>

  </head>
  <body onload="init();">
  <!-- p class="msg">start body</p -->

	<svg:svg id="Pic" onkeyup="">  <!-- onmouseover="focus=Fxz"
style="z-index:2000;" !-  width="900px" height="600px" style="position: fixed;
top: 0; left: 0; cursor: crosshair;" -->

           <svg:defs>

           <svg:g class="invisible"> 
              <svg:foreignObject x="200" y="180" width="100" height="30">
                 <input type="text" value="demo" class="stranger"
onchange="objectModifier(this)" />
              </svg:foreignObject>
           </svg:g>

              <svg:path id="P" d="M0 5v-10M-5 0h10a5 5 0 0 1 0 5" class="P"/>

              <!-- svg:marker id="Triangle" viewBox="0 0 10 10" refX="0"
refY="5" markerUnits="strokeWidth" markerWidth="4" markerHeight="3"
orient="auto" style="stroke: orange; fill-opacity: 0.4;" -->
              <svg:marker id="Triangle" viewBox="0 0 10 10" refX="0" refY="5"
style="marker-units: stroke-width; marker-width: 10px; marker-height: 10px;
orient: auto; stroke: orange; fill-opacity: 0.4;">
                <svg:path d="M0 0L10 5L0 10z" />
              </svg:marker>

              <svg:pattern id="steel1" patternUnits="userSpaceOnUse" x="0" y="0"
width="30" height="30" viewBox="0 0 50 50">
                <svg:line x1="0" y1="7" x2="7" y2="0" class="steel"/>  <!-- to
be implemented in Mozilla SVG -->             
              </svg:pattern>
 
              <svg:linearGradient id="Gl" gradientUnits="objectBoundingBox"
x1="0%" x2="35%" y1="0%" y2="35%" spreadMethod="reflect"> <!-- style="offset:
5%; stop-color: #F60F00;"-->
                <svg:stop offset="0%" stop-color="#F60F00"/>
                <svg:stop offset="100%" stop-color="#0060FF" />
              </svg:linearGradient>

              <svg:linearGradient id="Gr" gradientUnits="userSpaceOnUse" x1="0%"
x2="35%" y1="0%" y2="35%" spreadMethod="repeat">
                <svg:stop offset="0%"  stop-color="#000000"/>
<!--style="offset:5%; stop-color:#F60000;" /-->
                <svg:stop offset="100%" stop-color="#000FFF"/> <!--
style="offset:95%; stop-color:#FFFFFF;" /-->
                <!-- stop offset="70%" stop-color="#FFF000" / -->
              </svg:linearGradient>

              <svg:symbol id="SyP" class="pt" viewBox="0 0 10 10" width="10"
height="10" >
                <svg:desc>sCADch symbol for "Point"</svg:desc>
                <svg:g class="pt">
                  <svg:rect class="pt" x="2" y="2" height="6" width="6"/>
                  <svg:line class="pt" x1="0" y1="0" x2="4" y2="4"/>
                  <svg:line class="pt" x1="0" y1="10" x2="4" y2="6"/>
                  <svg:line class="pt" x1="10" y1="0" x2="6" y2="4"/>
                  <svg:line class="pt" x1="10" y1="10" x2="6" y2="6"/>
                </svg:g>
              </svg:symbol>

           </svg:defs>
           <!-- "corporate design" objects (test objects!!) -->
            <svg:g class="example" transform="translate(600,300)" id="corps">
	      <svg:circle id="circ" r="1cm" cx="7.5cm" cy="0.28562cm" style="fill:
RGB(160,255,230); stroke: blue; fill-opacity: 0.3; stroke-width: 0; z-index:
inherit;"/>
	      <svg:circle id="circE" r="1cm" cx="7.50cm" cy="7.58562cm" style="fill:
RGB(255,245,210); fill-opacity: 0.5; stroke-width: 0; z-index: inherit;"/>

              <svg:rect x="10" y="10" width="50" height="50" style="fill:
url(#steel1);"/> <!-- waiting for a version with Schraffur in Mozilla SVG -->
              <svg:rect x="10" y="60" width="30" height="50" style="fill:
url(#Gl); opacity:0.5;"/> 
              <svg:rect x="10" y="110" width="30" height="50" fill="url(#Gr)"/> 
              <svg:rect id="schr" x="40" y="110" width="30" height="50"
fill="url(#Gr)" style="fill-opacity:0.3;"/> 
              <svg:rect x="40" y="210" width="-30" height="-50" style="fill:
url(#Gr);"/> 

              <svg:use x="10" y="20" xlink:href="#schr" width="100" height="100" />
              <svg:line id="marktest" x1="50" y1="200" x2="200" y2="100"
style="stroke: #E8F0F0; marker-end: url(#Triangle); stroke-width: 2;
marker-start: url(#Triangle);"/> <!-- marker: url(#Triangle);
marker:'url(#Triangle)' xlink:href="#Triangle"/ -->
              <svg:line id="marktest2" x1="60" y1="200" x2="210" y2="100"
class="test"/>

              <!-- svg:line id="linma" x1="50" y1="200" x2="200" y2="100"
style="marker: 'url(#Triangle)'; stroke-width: 2;"/ -->
              <!-- svg:line id="linmA" x1="50" y1="200" marker='url(#Triangle)'
x2="100" y2="60" style="stroke-width: 2;"/ -->
            </svg:g>

          <svg:g id="Gxz" onmouseover="focus=Fxz">
	    <svg:svg id="Sxz" width="600px" height="300px" viewBox="0 0 600 300">
	      <svg:polygon class="svg" points="0,0 599,0 599,299 0,299"/> <!--
style="stroke: #CCCCB0; fill: #C0DDDD; opacity: 0.2;"/ -->
	    </svg:svg>
          </svg:g>

          <!-- svg:path transform="translate(0,0)" id="Xxz" d="M0 2000 L0 5 M0
-5 L 0 -2000 M-2000 0 L-5 0 M5 0 L2000 0" class="cross"/ --> 
          <svg:path transform="translate(0,0)" id="Xxz" d="M0 2000 L 0 -2000
M-2000 0 L2000 0" class="cross"/>
 
          <svg:g id="Gxy" class="svg" transform="translate(0,300)"
onmouseover="focus=Fxy">
            <svg:svg id="Sxy" width="600px" height="300px" viewBox="0 0 600
300"> <!-- style="stroke: red; stroke-width: 1; fill: #DDC0DD; fill-opacity:
0.3; overflow: hidden;"-->
	      <svg:polyline class="svg" points="0,0 599,0 599,299 0,299 0,0"/>
<!--style="stroke: #CCCCB0; fill: #C0DDDD; opacity: 0.2;"/-->
              <svg:line id="Xxy" x1="-2000" y1="0" x2="2000" y2="0"  class="cross"/>
              <!-- svg:path transform="translate(0,0)" id="Xxy" d="M2000 0 L5 0
M-5 0 L -2000 0" class="cross"/ -->
            </svg:svg>
          </svg:g>

          <svg:g id="Gyz" transform="translate(600,0)" onmouseover="focus=Fyz">
            <svg:svg id="Syz" width="300px" height="300px" viewBox="0 0 300
300"> <!-- style="stroke: #88AABB; stroke-width: 1; fill: #DDDDC0; fill-opacity:
0.2; overflow: hidden;"-->
	      <svg:polyline  class="svg" points="0,0 299,0 299,299 0,299 0,0"/> 
              <svg:line id="Xyz" x1="0" y1="2000" x2="0" y2="-2000"  class="cross"/>
              <!-- svg:path transform="translate(0,0)" id="Xyz" d="M0 2000 L0 5
M0 -5 L 0 -2000" class="cross"/ -->
            </svg:svg>

          </svg:g>

	</svg:svg>

    <form id="cmdTableau">
        <p><input type="text" width="23" readonly="readonly" id="ioLine"
title="show input value on click"/>
           <input type="text" width="12" readonly="readonly" id="ioChar"
title="general IO input line"/>
        </p>

        <p><span>&point;</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" id="NumPoint" onclick="setPoint()" title="set a
point with actual coordinates" style="color: black;"><h3>&point;</h3></button>
          <button type="button" title="set next | read actual point: x coord" 
style="border-style:none; z-index: 0; position: absolute; background-color:
transparent;" class="block"><tt>x</tt></button><input type="text" id="NumX"
value="" onclick="copyText(this)"/> 
          <button type="button" title="set next | read actual point: y coord" 
style="border-style:none; z-index: 0; position: absolute; background-color:
transparent;" class="block"><tt>y</tt></button><input type="text" id="NumY"
value="" onclick="copyText(this)"/>
          <button type="button" title="set next | read actual point: z coord" 
style="border-style:none; z-index: 0; position: absolute; background-color:
transparent;" class="block"><tt>z</tt></button><input type="text" id="NumZ"
value="" onclick="copyText(this)"/> 
        </p>

        <p><span>&line;</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" id="Line" title="make one distinct construction
line(s)" onclick="makeLine()" class="L"><h1>&line;</h1></button>
          <button type="button" id="Lines" title="make connected, but distinct
construction lines" onclick="makeLines()" class="L"><h3>&lines;</h3></button>
        </p>

        <p class="P"><span>&polygon;</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" id="Polygon" title="polygon; 3D straight lines,
auto closing" onclick="makePolyline(Polygonclass,'polygon')"
class="P"><h3>&polygon;</h3></button>
          <button type="button" id="PolygonHold" title="polygon, hold points; 3D
straight lines, auto closing" onclick="makePolyline(Polygonclass,'polygon',1)"
class="P"><h3>&polygon;</h3><em>&nbsp;&nbsp;&point;</em></button>
          <button type="button" id="Polyline" title="polyline; 3D straight
lines" onclick="makePolyline(Polylineclass,'polyline')"><h3>&polyline;</h3></button>
          <button type="button" id="PolylineHold" title="polyline, hold points;
3D straight lines"
onclick="makePolyline(Polylineclass,'polyline',1)"><h3>&polyline;</h3><em>&nbsp;&nbsp;&point;</em></button>
        </p>

        <p class="C"><span>&circle;</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" id="doCircle" title="circle from 3 peripheral
points" onclick="makeCircle()" class="C"><u>&circle;</u></button>
          <button type="button" id="doCircleHold" title="circle from 3
peripheral points, hold points" onclick="makeCircle(1)"
class="C"><u>&circle;</u><em>&nbsp;&nbsp;&point;</em></button>
          <button type="button" id="doEllipse" title="ellipse,
&point;1-&point;3:plane, &point;1+&point;4:&circ;&cylindric; axe, &point;2 on
&ellipse;" onclick="makeEllipse()"><em>&ellipse;</em></button>
          <button type="button" id="doEllipseHold" title="ellipse, hold points"
onclick="makeEllipse(1)"><em>&ellipse;</em><em>&nbsp;&nbsp;&point;</em></button>
        </p>

        <p><span>&plane;</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" id="Ebene" title="make plane, 3 points"
onclick="setPlane()" class="E"><h3>&dot1u2;</h3></button>
          <button type="button" id="EbeneN" title="make plane, &perp;"
onclick="setPlaneN()" class="E"><h3>&perp;</h3></button>
          <button type="button" id="WorksPlane" title="+/- set/unset work plane"
onclick="setWorkPlane('this')" class="E"><em>&plane;</em><h3>&plusmn;</h3></button>
          <button type="button" id="Ebene3" title="3rd coordinate of points:
point on work plane" onclick="setToPlane()"
class="E"><em>&plane;</em><h3>&rarr;</h3></button>
        </p>
        <p><span>?</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" id="erase" title="erase elements"
onclick="EraseObjects()" class="W"><h3>&erase;</h3><h2>&kill;</h2></button>
          <button type="button" id="crazy" title="init, to be used, when auto
init was failing" onclick="init()" class="S"><u>&aleph;</u></button>
          <!-- <button type="button" id="ttxt"  onclick="tytxt()">ttxt</button> -->
          <button type="button" id="ClearText" title="clear information text
area" onclick="ClearWrite()" class="S"><em>&text;</em><h3>&erase;</h3></button>
          <button type="button" id="toDump" title="dump notes to text area;
toggle button" onclick="dumpen=!dumpen"
class="S"><em>&text;</em><h3>&plusmn;</h3></button>
        </p>
        <p>
          <span id="ButtRest">&button;</span><img src="space.gif" class="cmdCol1"/>
          <button type="button" class="block"><tt>id</tt></button>   <input
type="text"  id="idButt"    title="button identifier" onclick="copyText(this)"/>
          <button type="button" class="block"><tt>sym</tt></button>  <input
type="text"  id="symButt"   title="button text/symbol (use unicode chars)"
onclick="copyText(this)"/>
          <button type="button" class="block"><tt>func</tt></button> <input
type="text"  id="fuButt"    title="button functionality, event action, e.g.
function call" onclick="copyText(this)"/>
          <button type="button" class="block"><tt>class</tt></button><input
type="text"  id="classButt" title="button style class, optional, for definition
requirements see class butt" onclick="copyText(this)"/>
          <button type="button" class="block"><tt>type</tt></button> <input
type="text"  id="typeButt"  title="button type, mainly 'button'|'text'"
value="button" onclick="copyText(this)"/>          
          <button type="button" class="block"><tt>desc</tt></button> <input
type="text"  id="descButt"  title="key title, describe functionality!"
onclick="copyText(this)"/>

          <button type="button" id="mkButt" onclick="makeButton()" title="make
button. button position: mousedown and mousemove. fix position: &not;
button"><em>&make;</em></button>
          <button type="button" onclick="standardButtonPlaces()" title="position
moveable or, when confirming: first click: last button places, second: initial
places"><h1>&larr;</h1></button>
          <button type="button" onclick="cancelButton('idButt')" title="pos
button using key m, mousedown and mousemove"><h1>&not;</h1></button>
        </p>
        <p>
        <textarea id="Dump"></textarea>
        </p>

    </form>

<!-- p class="msg">at end of body</p -->

  </body>
</html>

Comment 1

[Heinz Kohl]

this seems to be a general browser problem, 
and not SVG-specific as I thaught first (but of course, the DTD is needing much
more space here).

As a first action, I've outcommented all Entities I don't need at the moment,
and now I'm able to use the actual build.

Comment 2

[timeless]

please attach a single file with the mime type of your choice that triggers this
problem, if it doesn't require svg, then please omit it :).

Comment 3

[Heinz Kohl]

Attachment: .xml source (as .html not error producing)

this .xml-file reproduces this error without SVG and even in Firefox 1.0 /
windows XP version
(but no error reproduction, when started as .html-file instead of .xml)

Comment 4

[Boris Zbarsky [:bzbarsky]]

Not an SVG issue, and in fact I see the parsing problem on a _very_ minimal
testcase.  Since I also see it with builds going back for a while (at least a
year), I've filed bug 279076 on that issue.  Let's see whether fixing that fixes
this bug too.

Comment 5

[Boris Zbarsky [:bzbarsky]]

OK, the issue I was seeing in bug 279076 is something else...

Comment 6

[Boris Zbarsky [:bzbarsky]]

Attachment: Slightly smaller testcase

Comment 7

[Boris Zbarsky [:bzbarsky]]

OK, with the "slightly smaller testcase" I get random garbage characters as the
error text when I repeatedly reload the testcase....  The two <script> tags are
needed.  Removing some of the <!ENTITY>s makes the problem go away altogether
(shows error at </head>).  The number currently in the file is about minimal for
what shows the problem; I could maybe cut a few more out.

This isn't a regression from the expat landing, but it looks like there's a bug
_somewhere_ here as far as suspending the parser goes...

Comment 8

[Christian :Biesinger (don't email me, ping me on IRC)]

So... isn't the bug just that the error message is somewhat strange? The <aaa>
is indeed not closed in the testcase. Given that, how does this differ from bug
279078? (I.e. that bug is a dup of this one, imo)


oh, hm, I guess this just means that I can't reproduce this bug, since I'm not
getting random characters as the error. I'm only getting that U+FFFF in the
error message after the namespace url.

Comment 9

[Christian :Biesinger (don't email me, ping me on IRC)]

Comment on attachment 171848 [details]
Slightly smaller testcase

ah, nevermind. I do see the bug. the random characters are just in the source
line snippet.

Comment 10

[Boris Zbarsky [:bzbarsky]]

Yes, I should have made that clearer.  The "original source" red text is where
the random bytes are.

Comment 11

[Boris Zbarsky [:bzbarsky]]

So the problem here is that we're in the final chunk and our mLastLine is pretty
much garbage...

Why are we messing with mLastLine anyway?  Can't we expose an expat API to give
us a pointer to the buffer it was parsing when it ran into an error?  It already
gives us the offset into this buffer, so I'm a little surprised it doesn't give
the buffer itself.  Then we could just grab the line directly out of that.

Comment 12

[Boris Zbarsky [:bzbarsky]]

Looks like by the time we get down into HandleError expat has already nixed its
internal buffer... So that won't work.

Right now, if everything goes "right", we're showing the last "line" of the
chunk before the last chunk as the error text.  Which is pretty silly...

Comment 13

[Boris Zbarsky [:bzbarsky]]

Attachment: Patch I tried (does not work)

Comment 14

[jag (Peter Annema)]

So here's what bz and I were mulling over:

in HandleError, to get the line of source to display:

find the current line using GetLine
if it's at the beginning of the buffer
  append the current line to the previous chunk's last line (mLastLine)
  use GetLine to find the complete error line

Comment 15

[Boris Zbarsky [:bzbarsky]]

jag and I have this sorted out, we think.

The problem is that XML_Parse returns success but the current byte position of
expat is not at the end of the chunk we passed it (say there's part of an
opening or closing tag at the chunk boundary).  Then we pass it the _next_
chunk, and it figures out that there was a parse error in the data it didn't
consume last time.  It reports this to us, and we try to get the line the error
is in, but think the error is at a negative offset which we cast to PRUint32...
and then end up scanning up to the next null, at least, which may well be
somewhere past the end of our data.

The solution we settled on is that what this code _really_ needs to keep is all
the data after the last consumed newline.  In other words, any time expat
consumes some data we want to scan backwards from the end of that data.  If we
find a newline, replace our "last line" string with everything after that
newline.  Otherwise, append all the data expat consumed to our "last line" string.

Then on parse error we want to append the incoming buffer to our "last line"
string and call GetLine() on that.

Setting URL to a simple testcase that reliably makes us show somewhat bogus
error text and reliably triggers some asserts in nsExpatDriver.

Comment 16

[Boris Zbarsky [:bzbarsky]]

Attachment: Still not quite right

This is better, but still fails because the current byte index reported by
expat if it blocks in a chunk after stopping in mid-start-tag on the preceding
chunk boundary is weird.

Comment 17

[Boris Zbarsky [:bzbarsky]]

We want to fix this for 1.8.  Reading random memory is bad (and could have
security implications, in fact).

Comment 18

[Peter Van der Beken [:peterv]]

This patch makes us do more work for all documents, even those with no error, right?

Comment 19

[Heinz Kohl]

(In reply to comment #18)
> This patch makes us do more work for all documents, even those with no error,
right?

You shouldn't be too pessimistic :-) 
- before sending an error message, I've checked the original source for
correctness of xml and css using the W3C checkers (no error, no warning)

Comment 20

[Peter Van der Beken [:peterv]]

Hmm, nevermind, I forgot we always copy the last line already.

Comment 21

[jag (Peter Annema)]

Yeah, but we still end up doing a little more work. Not sure how that can be
avoided.

Comment 22

[Boris Zbarsky [:bzbarsky]]

Perhaps people aren't clear on what's going on here.  This bug allows a
malicious attacker to possibly read random memory on the user's computer into a
DOM the attacker can then serialize and send back to the server.  This means
that this can be used to look for things like usernames and passwords in the
local memory.

I really don't think we want to be shipping any more releases with this bug.

Comment 23

[Peter Van der Beken [:peterv]]

Yeah, I've been working on this and bug 291827. It's a bit too late to switch to
the new Expat, so I'm going to fix bug 291827 first.

Comment 24

[Peter Van der Beken [:peterv]]

Attachment: v1.1

This is essentially bz's patch, with some minor changes. I reviewed, so
r=peterv.

Comment 25

[Johnny Stenback (:jst)]

Comment on attachment 187956 [details] [diff] [review]
v1.1

sr=jst