Closed
Bug 275564
Opened 20 years ago
Closed 19 years ago
Random characters appear in XML parser "mismatched text" error message
Categories
(Core :: XML, defect, P1)
Core
XML
Tracking
()
RESOLVED
FIXED
mozilla1.8beta3
People
(Reporter: kohl, Assigned: peterv)
References
()
Details
(Whiteboard: [sg:fix] Comment 19 has nothing to do with this bug)
Attachments
(2 files, 3 obsolete files)
4.01 KB,
application/xml
|
Details | |
12.75 KB,
patch
|
peterv
:
review+
jst
:
superreview+
benjamin
:
approval1.8b4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041220 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041220 message "XML Parsing Error: mismatched tag. Expected: </http://www.w3.org/1999/xhtml�script>. Line Number 181, Column 5: .." (reported A greater set of - entity definitions in conjunction with - script tags with file references leading to "XML mismatched tag" message text is sometimes showing random junk, e.g. out of Entity definitions) looks like a buffer overrun error: vanishing, - when some Entity declarations killed or - scripts wirh external file references are killed source using xhtml-math-svg/xhtml-math-svg.dtd Reproducible: Always Steps to Reproduce: 1. "Additional Information" is holding a nearly minimum XML file to reproduce the error 2. start the file NotMismatched.xml (the file, checked with W3C so far as possible, is not mismatched and - without SVG - running under firefox) 3. to disappear: take away first or last half of the Entities for greek uppercase letters or (alternatively) all script tags with external references Actual Results: I have to go back to build 2004112523 1. "XML mismatched tag" message, often with crazy additional messages XML Parsing Error: mismatched tag. "Expected: </http://www.w3.org/1999/xhtml�script>" etc. 2. some - maybe wrong - changes leading to crashes (automatically reported) 3. killing all script tags with references to files, a page is built up, also when changing the string in <html xmlns="http://www.w3.org/1999/xhtml" xmlns:sv... Expected Results: A RESULT LIKE THAT SEEN BY FIREFOX or better (not SVG version) builds up to 2004112523 were processing sufficiently, the SVG DOM acting as expected. Hoped to get marker functionality and have seen some - after killing all script references. <?xml version="1.0" encoding="ISO-8859-1" standalone="no"?> <?xml-stylesheet href="http://www.w3.org/StyleSheets/TR/W3C-REC.css" type="text/css"?> <?xml-stylesheet href="St_sCADch.css" type="text/css"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0 plus SVG 1.1//EN" "http://www.w3.org/2002/04/xhtml-math-svg/xhtml-math-svg.dtd" [ <!ENTITY abrasiveWork "▽"> <!ENTITY aleph "ℵ"> <!ENTITY arc "⌒"> <!ENTITY aroundProfile "⌮"> <!ENTITY bowtie "⋈"> <!ENTITY button "❑"> <!ENTITY circle "⊙"> <!ENTITY compose "⎄"> <!ENTITY conical "⌲"> <!ENTITY concentric "⌾"> <!ENTITY copyright "©"> <!ENTITY counterBore "⌴"> <!ENTITY counterSink "⌵"> <!ENTITY curve "↝"> <!ENTITY cut "✁"> <!ENTITY cylindric "⌭"> <!ENTITY degree "˚"> <!ENTITY diameter "⌀"> <!ENTITY dimension "↔"> <!ENTITY dimOrigin "⌱"> <!ENTITY dot1u2 "∴"> <!ENTITY dot2u1 "∵"> <!ENTITY dot4 "∷"> <!ENTITY dot2 "∶"> <!ENTITY drillhole "◙"> <!ENTITY drillthrough "●"> <!ENTITY eject "⏏"> <!ENTITY ellipse "ʘ"> <!ENTITY equalAndParallel "⋕"> <!ENTITY equiangular "≚"> <!ENTITY erase "⌦"> <!ENTITY euro "€"> <!ENTITY hot "♨"> <!ENTITY identical "≡"> <!ENTITY kill "☠"> <!ENTITY leftOver "↶"> <!ENTITY leftTurn "↺"> <!ENTITY line "╲"> <!ENTITY lines "☇"> <!ENTITY linesB "⌙"> <!ENTITY make "★"> <!ENTITY matterLeft "⍅"> <!ENTITY matterRight "⍆"> <!ENTITY matterDown "⍖"> <!ENTITY matterUp "⍏"> <!ENTITY mail "✉"> <!ENTITY mesh "⌗"> <!ENTITY midLines "⎈"> <!ENTITY minusPlus "∓"> <!ENTITY nearly "≈"> <!ENTITY norm "‖"> <!ENTITY notes "⁾"> <!ENTITY Ohm "Ω"> <!ENTITY paragraph "¶"> <!ENTITY perp "⊥"> <!ENTITY plusMinus "±"> <!ENTITY point "⌖"> <!ENTITY polyline "☈"> <!ENTITY polygon "⌂"> <!ENTITY proportional "∼"> <!ENTITY rarr "→"> <!ENTITY return "⏎"> <!ENTITY rightAngle "⊾"> <!ENTITY rightOver " ↷"> <!ENTITY rightTurn " ↻"> <!ENTITY save "✇"> <!ENTITY sector "⌔"> <!ENTITY segment "⌓"> <!ENTITY slope "⌳"> <!ENTITY symmCross "✜"> <!ENTITY symmetric "⌯"> <!ENTITY text "⌨"> <!ENTITY totalRunout "⌰"> <!ENTITY undo "⎌"> <!ENTITY waste "♲"> <!ENTITY wavyLine "⌇"> <!ENTITY warning "⚠"> <!ENTITY alpha "ɑ"> <!ENTITY beta "β"> <!ENTITY gamma "ɣ"> <!ENTITY delta "δ"> <!ENTITY epsilon "ε"> <!ENTITY zeta "ζ"> <!ENTITY eta "η"> <!ENTITY theta "θ"> <!ENTITY kappa "κ"> <!ENTITY lambda "λ"> <!ENTITY mu "μ"> <!ENTITY nu "ν"> <!ENTITY xi "ξ"> <!ENTITY omicron "ο"> <!ENTITY pi "π"> <!ENTITY plane "ε"> <!ENTITY rho "ρ"> <!ENTITY sigma "σ"> <!ENTITY tau "τ"> <!ENTITY upsilon "υ"> <!ENTITY phi "φ"> <!ENTITY chi "χ"> <!ENTITY psi "ψ"> <!ENTITY omega "ω"> <!ENTITY increment "∆"> <!ENTITY Alpha "Α"> <!ENTITY Beta "Β"> <!ENTITY Gamma "Γ"> <!ENTITY Delta "Δ"> <!ENTITY Epsilon "Ε"> <!ENTITY Zeta "Ζ"> <!ENTITY Eta "Η"> <!ENTITY Theta "Θ"> <!ENTITY Kappa "Κ"> <!ENTITY Lambda "Λ"> <!ENTITY Mu "Μ"> <!ENTITY Nu "Ν"> <!ENTITY Xi "Ξ"> <!ENTITY Omicron "Ο"> <!ENTITY Pi "Π"> <!ENTITY Rho "Ρ"> <!ENTITY Sigma "Σ"> <!ENTITY Tau "Τ"> <!ENTITY Upsilon "Υ"> <!ENTITY Phi "Φ"> <!ENTITY Chi "Χ"> <!ENTITY Psi "Ψ"> <!ENTITY Omega "Ω"> ]> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" xmlns:xlink="http://www.w3.org/1999/xlink"> <head> <title>sCADch</title> <script type="text/javascript" src="Basic_sCADch.js"/> <script type="text/javascript" src="Basic1_sCADch.js"></script> </head> <body onload="init();"> <!-- p class="msg">start body</p --> <svg:svg id="Pic" onkeyup=""> <!-- onmouseover="focus=Fxz" style="z-index:2000;" !- width="900px" height="600px" style="position: fixed; top: 0; left: 0; cursor: crosshair;" --> <svg:defs> <svg:g class="invisible"> <svg:foreignObject x="200" y="180" width="100" height="30"> <input type="text" value="demo" class="stranger" onchange="objectModifier(this)" /> </svg:foreignObject> </svg:g> <svg:path id="P" d="M0 5v-10M-5 0h10a5 5 0 0 1 0 5" class="P"/> <!-- svg:marker id="Triangle" viewBox="0 0 10 10" refX="0" refY="5" markerUnits="strokeWidth" markerWidth="4" markerHeight="3" orient="auto" style="stroke: orange; fill-opacity: 0.4;" --> <svg:marker id="Triangle" viewBox="0 0 10 10" refX="0" refY="5" style="marker-units: stroke-width; marker-width: 10px; marker-height: 10px; orient: auto; stroke: orange; fill-opacity: 0.4;"> <svg:path d="M0 0L10 5L0 10z" /> </svg:marker> <svg:pattern id="steel1" patternUnits="userSpaceOnUse" x="0" y="0" width="30" height="30" viewBox="0 0 50 50"> <svg:line x1="0" y1="7" x2="7" y2="0" class="steel"/> <!-- to be implemented in Mozilla SVG --> </svg:pattern> <svg:linearGradient id="Gl" gradientUnits="objectBoundingBox" x1="0%" x2="35%" y1="0%" y2="35%" spreadMethod="reflect"> <!-- style="offset: 5%; stop-color: #F60F00;"--> <svg:stop offset="0%" stop-color="#F60F00"/> <svg:stop offset="100%" stop-color="#0060FF" /> </svg:linearGradient> <svg:linearGradient id="Gr" gradientUnits="userSpaceOnUse" x1="0%" x2="35%" y1="0%" y2="35%" spreadMethod="repeat"> <svg:stop offset="0%" stop-color="#000000"/> <!--style="offset:5%; stop-color:#F60000;" /--> <svg:stop offset="100%" stop-color="#000FFF"/> <!-- style="offset:95%; stop-color:#FFFFFF;" /--> <!-- stop offset="70%" stop-color="#FFF000" / --> </svg:linearGradient> <svg:symbol id="SyP" class="pt" viewBox="0 0 10 10" width="10" height="10" > <svg:desc>sCADch symbol for "Point"</svg:desc> <svg:g class="pt"> <svg:rect class="pt" x="2" y="2" height="6" width="6"/> <svg:line class="pt" x1="0" y1="0" x2="4" y2="4"/> <svg:line class="pt" x1="0" y1="10" x2="4" y2="6"/> <svg:line class="pt" x1="10" y1="0" x2="6" y2="4"/> <svg:line class="pt" x1="10" y1="10" x2="6" y2="6"/> </svg:g> </svg:symbol> </svg:defs> <!-- "corporate design" objects (test objects!!) --> <svg:g class="example" transform="translate(600,300)" id="corps"> <svg:circle id="circ" r="1cm" cx="7.5cm" cy="0.28562cm" style="fill: RGB(160,255,230); stroke: blue; fill-opacity: 0.3; stroke-width: 0; z-index: inherit;"/> <svg:circle id="circE" r="1cm" cx="7.50cm" cy="7.58562cm" style="fill: RGB(255,245,210); fill-opacity: 0.5; stroke-width: 0; z-index: inherit;"/> <svg:rect x="10" y="10" width="50" height="50" style="fill: url(#steel1);"/> <!-- waiting for a version with Schraffur in Mozilla SVG --> <svg:rect x="10" y="60" width="30" height="50" style="fill: url(#Gl); opacity:0.5;"/> <svg:rect x="10" y="110" width="30" height="50" fill="url(#Gr)"/> <svg:rect id="schr" x="40" y="110" width="30" height="50" fill="url(#Gr)" style="fill-opacity:0.3;"/> <svg:rect x="40" y="210" width="-30" height="-50" style="fill: url(#Gr);"/> <svg:use x="10" y="20" xlink:href="#schr" width="100" height="100" /> <svg:line id="marktest" x1="50" y1="200" x2="200" y2="100" style="stroke: #E8F0F0; marker-end: url(#Triangle); stroke-width: 2; marker-start: url(#Triangle);"/> <!-- marker: url(#Triangle); marker:'url(#Triangle)' xlink:href="#Triangle"/ --> <svg:line id="marktest2" x1="60" y1="200" x2="210" y2="100" class="test"/> <!-- svg:line id="linma" x1="50" y1="200" x2="200" y2="100" style="marker: 'url(#Triangle)'; stroke-width: 2;"/ --> <!-- svg:line id="linmA" x1="50" y1="200" marker='url(#Triangle)' x2="100" y2="60" style="stroke-width: 2;"/ --> </svg:g> <svg:g id="Gxz" onmouseover="focus=Fxz"> <svg:svg id="Sxz" width="600px" height="300px" viewBox="0 0 600 300"> <svg:polygon class="svg" points="0,0 599,0 599,299 0,299"/> <!-- style="stroke: #CCCCB0; fill: #C0DDDD; opacity: 0.2;"/ --> </svg:svg> </svg:g> <!-- svg:path transform="translate(0,0)" id="Xxz" d="M0 2000 L0 5 M0 -5 L 0 -2000 M-2000 0 L-5 0 M5 0 L2000 0" class="cross"/ --> <svg:path transform="translate(0,0)" id="Xxz" d="M0 2000 L 0 -2000 M-2000 0 L2000 0" class="cross"/> <svg:g id="Gxy" class="svg" transform="translate(0,300)" onmouseover="focus=Fxy"> <svg:svg id="Sxy" width="600px" height="300px" viewBox="0 0 600 300"> <!-- style="stroke: red; stroke-width: 1; fill: #DDC0DD; fill-opacity: 0.3; overflow: hidden;"--> <svg:polyline class="svg" points="0,0 599,0 599,299 0,299 0,0"/> <!--style="stroke: #CCCCB0; fill: #C0DDDD; opacity: 0.2;"/--> <svg:line id="Xxy" x1="-2000" y1="0" x2="2000" y2="0" class="cross"/> <!-- svg:path transform="translate(0,0)" id="Xxy" d="M2000 0 L5 0 M-5 0 L -2000 0" class="cross"/ --> </svg:svg> </svg:g> <svg:g id="Gyz" transform="translate(600,0)" onmouseover="focus=Fyz"> <svg:svg id="Syz" width="300px" height="300px" viewBox="0 0 300 300"> <!-- style="stroke: #88AABB; stroke-width: 1; fill: #DDDDC0; fill-opacity: 0.2; overflow: hidden;"--> <svg:polyline class="svg" points="0,0 299,0 299,299 0,299 0,0"/> <svg:line id="Xyz" x1="0" y1="2000" x2="0" y2="-2000" class="cross"/> <!-- svg:path transform="translate(0,0)" id="Xyz" d="M0 2000 L0 5 M0 -5 L 0 -2000" class="cross"/ --> </svg:svg> </svg:g> </svg:svg> <form id="cmdTableau"> <p><input type="text" width="23" readonly="readonly" id="ioLine" title="show input value on click"/> <input type="text" width="12" readonly="readonly" id="ioChar" title="general IO input line"/> </p> <p><span>&point;</span><img src="space.gif" class="cmdCol1"/> <button type="button" id="NumPoint" onclick="setPoint()" title="set a point with actual coordinates" style="color: black;"><h3>&point;</h3></button> <button type="button" title="set next | read actual point: x coord" style="border-style:none; z-index: 0; position: absolute; background-color: transparent;" class="block"><tt>x</tt></button><input type="text" id="NumX" value="" onclick="copyText(this)"/> <button type="button" title="set next | read actual point: y coord" style="border-style:none; z-index: 0; position: absolute; background-color: transparent;" class="block"><tt>y</tt></button><input type="text" id="NumY" value="" onclick="copyText(this)"/> <button type="button" title="set next | read actual point: z coord" style="border-style:none; z-index: 0; position: absolute; background-color: transparent;" class="block"><tt>z</tt></button><input type="text" id="NumZ" value="" onclick="copyText(this)"/> </p> <p><span>&line;</span><img src="space.gif" class="cmdCol1"/> <button type="button" id="Line" title="make one distinct construction line(s)" onclick="makeLine()" class="L"><h1>&line;</h1></button> <button type="button" id="Lines" title="make connected, but distinct construction lines" onclick="makeLines()" class="L"><h3>&lines;</h3></button> </p> <p class="P"><span>&polygon;</span><img src="space.gif" class="cmdCol1"/> <button type="button" id="Polygon" title="polygon; 3D straight lines, auto closing" onclick="makePolyline(Polygonclass,'polygon')" class="P"><h3>&polygon;</h3></button> <button type="button" id="PolygonHold" title="polygon, hold points; 3D straight lines, auto closing" onclick="makePolyline(Polygonclass,'polygon',1)" class="P"><h3>&polygon;</h3><em> &point;</em></button> <button type="button" id="Polyline" title="polyline; 3D straight lines" onclick="makePolyline(Polylineclass,'polyline')"><h3>&polyline;</h3></button> <button type="button" id="PolylineHold" title="polyline, hold points; 3D straight lines" onclick="makePolyline(Polylineclass,'polyline',1)"><h3>&polyline;</h3><em> &point;</em></button> </p> <p class="C"><span>&circle;</span><img src="space.gif" class="cmdCol1"/> <button type="button" id="doCircle" title="circle from 3 peripheral points" onclick="makeCircle()" class="C"><u>&circle;</u></button> <button type="button" id="doCircleHold" title="circle from 3 peripheral points, hold points" onclick="makeCircle(1)" class="C"><u>&circle;</u><em> &point;</em></button> <button type="button" id="doEllipse" title="ellipse, &point;1-&point;3:plane, &point;1+&point;4:ˆ&cylindric; axe, &point;2 on &ellipse;" onclick="makeEllipse()"><em>&ellipse;</em></button> <button type="button" id="doEllipseHold" title="ellipse, hold points" onclick="makeEllipse(1)"><em>&ellipse;</em><em> &point;</em></button> </p> <p><span>&plane;</span><img src="space.gif" class="cmdCol1"/> <button type="button" id="Ebene" title="make plane, 3 points" onclick="setPlane()" class="E"><h3>&dot1u2;</h3></button> <button type="button" id="EbeneN" title="make plane, ⊥" onclick="setPlaneN()" class="E"><h3>⊥</h3></button> <button type="button" id="WorksPlane" title="+/- set/unset work plane" onclick="setWorkPlane('this')" class="E"><em>&plane;</em><h3>±</h3></button> <button type="button" id="Ebene3" title="3rd coordinate of points: point on work plane" onclick="setToPlane()" class="E"><em>&plane;</em><h3>→</h3></button> </p> <p><span>?</span><img src="space.gif" class="cmdCol1"/> <button type="button" id="erase" title="erase elements" onclick="EraseObjects()" class="W"><h3>&erase;</h3><h2>&kill;</h2></button> <button type="button" id="crazy" title="init, to be used, when auto init was failing" onclick="init()" class="S"><u>ℵ</u></button> <!-- <button type="button" id="ttxt" onclick="tytxt()">ttxt</button> --> <button type="button" id="ClearText" title="clear information text area" onclick="ClearWrite()" class="S"><em>&text;</em><h3>&erase;</h3></button> <button type="button" id="toDump" title="dump notes to text area; toggle button" onclick="dumpen=!dumpen" class="S"><em>&text;</em><h3>±</h3></button> </p> <p> <span id="ButtRest">&button;</span><img src="space.gif" class="cmdCol1"/> <button type="button" class="block"><tt>id</tt></button> <input type="text" id="idButt" title="button identifier" onclick="copyText(this)"/> <button type="button" class="block"><tt>sym</tt></button> <input type="text" id="symButt" title="button text/symbol (use unicode chars)" onclick="copyText(this)"/> <button type="button" class="block"><tt>func</tt></button> <input type="text" id="fuButt" title="button functionality, event action, e.g. function call" onclick="copyText(this)"/> <button type="button" class="block"><tt>class</tt></button><input type="text" id="classButt" title="button style class, optional, for definition requirements see class butt" onclick="copyText(this)"/> <button type="button" class="block"><tt>type</tt></button> <input type="text" id="typeButt" title="button type, mainly 'button'|'text'" value="button" onclick="copyText(this)"/> <button type="button" class="block"><tt>desc</tt></button> <input type="text" id="descButt" title="key title, describe functionality!" onclick="copyText(this)"/> <button type="button" id="mkButt" onclick="makeButton()" title="make button. button position: mousedown and mousemove. fix position: ¬ button"><em>&make;</em></button> <button type="button" onclick="standardButtonPlaces()" title="position moveable or, when confirming: first click: last button places, second: initial places"><h1>←</h1></button> <button type="button" onclick="cancelButton('idButt')" title="pos button using key m, mousedown and mousemove"><h1>¬</h1></button> </p> <p> <textarea id="Dump"></textarea> </p> </form> <!-- p class="msg">at end of body</p --> </body> </html>
Reporter | ||
Comment 1•20 years ago
|
||
this seems to be a general browser problem, and not SVG-specific as I thaught first (but of course, the DTD is needing much more space here). As a first action, I've outcommented all Entities I don't need at the moment, and now I'm able to use the actual build.
please attach a single file with the mime type of your choice that triggers this problem, if it doesn't require svg, then please omit it :).
Assignee: general → general
Component: General → SVG
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Version: unspecified → Trunk
Reporter | ||
Comment 3•20 years ago
|
||
this .xml-file reproduces this error without SVG and even in Firefox 1.0 / windows XP version (but no error reproduction, when started as .html-file instead of .xml)
Comment 4•20 years ago
|
||
Not an SVG issue, and in fact I see the parsing problem on a _very_ minimal testcase. Since I also see it with builds going back for a while (at least a year), I've filed bug 279076 on that issue. Let's see whether fixing that fixes this bug too.
Component: SVG → XML
Depends on: 279076
Comment 5•20 years ago
|
||
OK, the issue I was seeing in bug 279076 is something else...
No longer depends on: 279076
Comment 6•20 years ago
|
||
Attachment #169356 -
Attachment is obsolete: true
Comment 7•20 years ago
|
||
OK, with the "slightly smaller testcase" I get random garbage characters as the error text when I repeatedly reload the testcase.... The two <script> tags are needed. Removing some of the <!ENTITY>s makes the problem go away altogether (shows error at </head>). The number currently in the file is about minimal for what shows the problem; I could maybe cut a few more out. This isn't a regression from the expat landing, but it looks like there's a bug _somewhere_ here as far as suspending the parser goes...
Assignee: general → xml
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
QA Contact: ian → ashshbhatt
Hardware: PC → All
Comment 8•20 years ago
|
||
So... isn't the bug just that the error message is somewhat strange? The <aaa> is indeed not closed in the testcase. Given that, how does this differ from bug 279078? (I.e. that bug is a dup of this one, imo) oh, hm, I guess this just means that I can't reproduce this bug, since I'm not getting random characters as the error. I'm only getting that U+FFFF in the error message after the namespace url.
Comment 9•20 years ago
|
||
Comment on attachment 171848 [details]
Slightly smaller testcase
ah, nevermind. I do see the bug. the random characters are just in the source
line snippet.
Comment 10•20 years ago
|
||
Yes, I should have made that clearer. The "original source" red text is where the random bytes are.
Comment 11•19 years ago
|
||
So the problem here is that we're in the final chunk and our mLastLine is pretty much garbage... Why are we messing with mLastLine anyway? Can't we expose an expat API to give us a pointer to the buffer it was parsing when it ran into an error? It already gives us the offset into this buffer, so I'm a little surprised it doesn't give the buffer itself. Then we could just grab the line directly out of that.
Comment 12•19 years ago
|
||
Looks like by the time we get down into HandleError expat has already nixed its internal buffer... So that won't work. Right now, if everything goes "right", we're showing the last "line" of the chunk before the last chunk as the error text. Which is pretty silly...
Comment 13•19 years ago
|
||
Comment 14•19 years ago
|
||
So here's what bz and I were mulling over: in HandleError, to get the line of source to display: find the current line using GetLine if it's at the beginning of the buffer append the current line to the previous chunk's last line (mLastLine) use GetLine to find the complete error line
Comment 15•19 years ago
|
||
jag and I have this sorted out, we think. The problem is that XML_Parse returns success but the current byte position of expat is not at the end of the chunk we passed it (say there's part of an opening or closing tag at the chunk boundary). Then we pass it the _next_ chunk, and it figures out that there was a parse error in the data it didn't consume last time. It reports this to us, and we try to get the line the error is in, but think the error is at a negative offset which we cast to PRUint32... and then end up scanning up to the next null, at least, which may well be somewhere past the end of our data. The solution we settled on is that what this code _really_ needs to keep is all the data after the last consumed newline. In other words, any time expat consumes some data we want to scan backwards from the end of that data. If we find a newline, replace our "last line" string with everything after that newline. Otherwise, append all the data expat consumed to our "last line" string. Then on parse error we want to append the incoming buffer to our "last line" string and call GetLine() on that. Setting URL to a simple testcase that reliably makes us show somewhat bogus error text and reliably triggers some asserts in nsExpatDriver.
Comment 16•19 years ago
|
||
This is better, but still fails because the current byte index reported by expat if it blocks in a chunk after stopping in mid-start-tag on the preceding chunk boundary is weird.
Attachment #181457 -
Attachment is obsolete: true
Comment 17•19 years ago
|
||
We want to fix this for 1.8. Reading random memory is bad (and could have security implications, in fact).
Flags: blocking1.8b3?
Updated•19 years ago
|
Whiteboard: [sg:fix]
Assignee | ||
Comment 18•19 years ago
|
||
This patch makes us do more work for all documents, even those with no error, right?
Reporter | ||
Comment 19•19 years ago
|
||
(In reply to comment #18) > This patch makes us do more work for all documents, even those with no error, right? You shouldn't be too pessimistic :-) - before sending an error message, I've checked the original source for correctness of xml and css using the W3C checkers (no error, no warning)
Assignee | ||
Comment 20•19 years ago
|
||
Hmm, nevermind, I forgot we always copy the last line already.
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:fix] Comment 19 has nothing to do with this bug
Comment 21•19 years ago
|
||
Yeah, but we still end up doing a little more work. Not sure how that can be avoided.
Updated•19 years ago
|
Flags: blocking1.8b4?
Flags: blocking1.8b3?
Flags: blocking1.8b3-
Comment 22•19 years ago
|
||
Perhaps people aren't clear on what's going on here. This bug allows a malicious attacker to possibly read random memory on the user's computer into a DOM the attacker can then serialize and send back to the server. This means that this can be used to look for things like usernames and passwords in the local memory. I really don't think we want to be shipping any more releases with this bug.
Assignee | ||
Comment 23•19 years ago
|
||
Yeah, I've been working on this and bug 291827. It's a bit too late to switch to the new Expat, so I'm going to fix bug 291827 first.
Assignee: xml → peterv
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta3
Assignee | ||
Comment 24•19 years ago
|
||
This is essentially bz's patch, with some minor changes. I reviewed, so r=peterv.
Attachment #181736 -
Attachment is obsolete: true
Attachment #187956 -
Flags: superreview?(jst)
Attachment #187956 -
Flags: review+
Updated•19 years ago
|
Flags: blocking1.8b4? → blocking1.8b4+
Comment 25•19 years ago
|
||
Comment on attachment 187956 [details] [diff] [review] v1.1 sr=jst
Attachment #187956 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Updated•19 years ago
|
Attachment #187956 -
Flags: approval1.8b4?
Updated•19 years ago
|
Attachment #187956 -
Flags: approval1.8b4? → approval1.8b4+
Assignee | ||
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Summary: Mozilla SVG build 2004122009, 1004121909: wrong 'mismatched tag' message → Random characters appear in XML parser "mismatched text" error message
You need to log in
before you can comment on or make changes to this bug.
Description
•