Make sure resetInsertionMode breaks out to Body if nothing left on stack

Fixes #1607
jhy · Aug 5, 2021 · b4f20f0 · b4f20f0
1 parent d6a4d20
commit b4f20f0
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 2 deletions.
diff --git a/CHANGES b/CHANGES
@@ -60,6 +60,9 @@ jsoup changelog
     deep in stack.
     <https://github.com/jhy/jsoup/issues/1606>
 
+  * Bugfix [Fuzz]: Fix a potential stack-overflow in the parser given crafted HTML, when the parser looped in the
+    InSelectInTable state.
+
 *** Release 1.14.1 [2021-Jul-10]
   * Change: updated the minimum supported Java version from Java 7 to Java 8.
 

diff --git a/src/main/java/org/jsoup/parser/HtmlTreeBuilder.java b/src/main/java/org/jsoup/parser/HtmlTreeBuilder.java
@@ -444,6 +444,10 @@ void resetInsertionMode() {
         final int bottom = stack.size() - 1;
         final int upper = bottom >= maxQueueDepth ? bottom - maxQueueDepth : 0;
 
+        if (stack.size() == 0) { // nothing left of stack, just get to body
+            transition(HtmlTreeBuilderState.InBody);
+        }
+
         for (int pos = bottom; pos >= upper; pos--) {
             Element node = stack.get(pos);
             if (pos == 0) {

diff --git a/src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java b/src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java
@@ -1419,12 +1419,14 @@ private boolean anythingElse(Token t, HtmlTreeBuilder tb) {
         boolean process(Token t, HtmlTreeBuilder tb) {
             if (t.isStartTag() && inSorted(t.asStartTag().normalName(), InSelecTableEnd)) {
                 tb.error(this);
-                tb.processEndTag("select");
+                tb.popStackToClose("select");
+                tb.resetInsertionMode();
                 return tb.process(t);
             } else if (t.isEndTag() && inSorted(t.asEndTag().normalName(),InSelecTableEnd )) {
                 tb.error(this);
                 if (tb.inTableScope(t.asEndTag().normalName())) {
-                    tb.processEndTag("select");
+                    tb.popStackToClose("select");
+                    tb.resetInsertionMode();
                     return (tb.process(t));
                 } else
                     return false;

diff --git a/src/test/java/org/jsoup/integration/FuzzFixesTest.java b/src/test/java/org/jsoup/integration/FuzzFixesTest.java
@@ -181,4 +181,16 @@ public void parseTimeout1606() throws IOException {
         Document docXml = Jsoup.parse(new FileInputStream(in), "UTF-8", "https://example.com", Parser.xmlParser());
         assertNotNull(docXml);
     }
+
+    @Test
+    public void overflow1607() throws IOException {
+        // https://github.com/jhy/jsoup/issues/1607
+        File in = ParseTest.getFile("/fuzztests/1607.html.gz");
+
+        Document doc = Jsoup.parse(in, "UTF-8");
+        assertNotNull(doc);
+
+        Document docXml = Jsoup.parse(new FileInputStream(in), "UTF-8", "https://example.com", Parser.xmlParser());
+        assertNotNull(docXml);
+    }
 }
diff --git a/src/test/resources/fuzztests/1607.html.gz b/src/test/resources/fuzztests/1607.html.gz