Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7172359

HTML parser StackOverflowError on invalid HTML: <li> tag inside an <option>

    XMLWordPrintable

Details

    • b20
    • x86
    • windows_7

    Description

      FULL PRODUCT VERSION :
      java version "1.7.0_04"
      Java(TM) SE Runtime Environment (build 1.7.0_04-b22)
      Java HotSpot(TM) Client VM (build 23.0-b21, mixed mode, sharing)

      java version "1.6.0_32"
      Java(TM) SE Runtime Environment (build 1.6.0_32-b05)
      Java HotSpot(TM) Client VM (build 20.7-b02, mixed mode, sharing)


      ADDITIONAL OS VERSION INFORMATION :
      Windows 7 Enterprise 32-bit [Version 6.1.7600]

      A DESCRIPTION OF THE PROBLEM :
      The following (invalid) HTML will crash javax.swing.text.html.parser.Parser with a StackOverflowError:

          <html><body><form>
            <select>
              <option value="1"><li></option>
            </select>
          </form></body></html>

      Tested on 7u4, 6u31 and 6u32.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Read the above HTML into an HTMLEditorKit (see test case below)

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Document loads OK and can be iterated through to extract content
      ACTUAL -
      StackOverflowError, as below - it gets stuck in javax.swing.text.html.parser.Parser.legalElementContext recursing back into itself

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
        From 7u4:

      Exception in thread "main" java.lang.StackOverflowError
              at javax.swing.text.html.parser.ContentModelState.advance(ContentModelState.java:201)
              at javax.swing.text.html.parser.ContentModelState.advance(ContentModelState.java:224)
              at javax.swing.text.html.parser.TagStack.advance(TagStack.java:138)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:616)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:702)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:642)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:702)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:642)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:702)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:642)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:702)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:642)

      (and continues to repeat the last two lines until the end of the trace)


        From 6u32:


      Exception in thread "main" java.lang.StackOverflowError
              at javax.swing.text.html.parser.ContentModel.first(ContentModel.java:139)
              at javax.swing.text.html.parser.ContentModelState.advance(ContentModelState.java:184)
              at javax.swing.text.html.parser.ContentModelState.advance(ContentModelState.java:207)
              at javax.swing.text.html.parser.TagStack.advance(TagStack.java:137)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:600)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:688)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:626)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:688)
              at javax.swing.text.html.parser.Parser.legalElementContext(Parser.java:626)

      ditto last two lines repeat.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import javax.swing.text.html.HTMLDocument;
      import javax.swing.text.html.HTMLEditorKit;
      import java.io.StringReader;
      import java.io.Reader;

      public class ParserCrash
      {
      /**
      * li element inside an option will crash javax.swing.text.html.parser.Parser
      */
      public static void main( String[] argv ) throws Exception
      {
      String badHtml = "<html><body><form><select><option><li></option></select></form></body></html>";

      HTMLEditorKit kit = new HTMLEditorKit();
      HTMLDocument doc = (HTMLDocument) kit.createDefaultDocument();
      Reader reader = new StringReader(badHtml);
      kit.read(reader, doc, 0); // StackOverflowError here

      System.out.println("Succeeded! (expected StackOverflowError");
      }
      }

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Repair the broken HTML in our CMS.
      (It took a while to track this down because we hit this error after nine hours of a Jackrabbit content reindex, and because the StackOverflowError is a Throwable not an Exception it wasn't getting logged.)

      Attachments

        Issue Links

          Activity

            People

              psadhukhan Prasanta Sadhukhan
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: