From 4fbea0e16f95208a8293b0f7fa96652bdc7a33dc Mon Sep 17 00:00:00 2001
From: Jorge Arellano Cid <jcid@dillo.org>
Date: Mon, 26 Aug 2013 15:05:43 -0400
Subject: Fix handling of the BODY element

Avoids overflow of Num_BODY variable, its potential problems
and improves HTML bug messages.
e.g. details in crash-null_preprocessAttrs.html.asan.

The num-head, num-title, num-body, num-html patch series is a
bundle for the same type of problem/solution.
---
 src/html.cc | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/html.cc b/src/html.cc
index 3e310ce0..6b129188 100644
--- a/src/html.cc
+++ b/src/html.cc
@@ -1787,14 +1787,18 @@ static void Html_tag_open_body(DilloHtml *html, const char *tag, int tagsize)
    int tag_index_a = a_Html_tag_index ("a");
    style::Color *bgColor;
 
+   _MSG("Html_tag_open_body Num_BODY=%d\n", html->Num_BODY);
    if (!(html->InFlags & IN_BODY))
       html->InFlags |= IN_BODY;
-   ++html->Num_BODY;
+   if (html->Num_BODY < UCHAR_MAX)
+      ++html->Num_BODY;
 
    if (html->Num_BODY > 1) {
       BUG_MSG("BODY element was already open\n");
+      html->ReqTagClose = true;
       return;
    }
+
    if (html->InFlags & IN_HEAD) {
       /* if we're here, it's bad XHTML, no need to recover */
       BUG_MSG("unclosed HEAD element\n");
@@ -1862,10 +1866,8 @@ static void Html_tag_open_body(DilloHtml *html, const char *tag, int tagsize)
  */
 static void Html_tag_close_body(DilloHtml *html)
 {
-   if (html->Num_BODY == 1) {
-      /* some tag soup pages use multiple BODY tags... */
-      html->InFlags &= ~IN_BODY;
-   }
+   /* Some tag soup pages use multiple BODY tags...
+    * Defer clearing the IN_BODY flag until IN_EOF */
 }
 
 /*
-- 
cgit v1.2.3