bug 269095: crash on malformed html page that caused us to try to handle misplaced content while we were already handling misplaced content. r=jst sr=rbs

parser/htmlparser/src/CNavDTD.cpp

@@ -120,7 +120,8 @@ static char gShowCRC;
 #define NS_DTD_FLAG_FRAMES_ENABLED         0x00000200
 #define NS_DTD_FLAG_ALTERNATE_CONTENT      0x00000400 // NOFRAMES, NOSCRIPT 
 #define NS_DTD_FLAG_MISPLACED_CONTENT      0x00000800
-#define NS_DTD_FLAG_STOP_PARSING           0x00001000
+#define NS_DTD_FLAG_IN_MISPLACED_CONTENT   0x00001000
+#define NS_DTD_FLAG_STOP_PARSING           0x00002000
 
 /**
  *  This method gets called as part of our COM-like interfaces.
@@ -589,11 +590,14 @@ nsresult CNavDTD::DidBuildModel(nsresult anErrorCode,
       if (mFlags & NS_DTD_FLAG_MISPLACED_CONTENT) {
         // Looks like the misplaced contents are not processed yet.
         // Here is our last chance to handle the misplaced content.
-        mFlags &= ~NS_DTD_FLAG_MISPLACED_CONTENT; 
         
-        // mContextTopIndex refers to the misplaced content's legal parent index.
+        // Loop until we've really consumed all of our misplaced content.
-        result = HandleSavedTokens(mBodyContext->mContextTopIndex);
+        do {
-        NS_ENSURE_SUCCESS(result, result);
+          mFlags &= ~NS_DTD_FLAG_MISPLACED_CONTENT; 
+          // mContextTopIndex refers to the misplaced content's legal parent index.
+          result = HandleSavedTokens(mBodyContext->mContextTopIndex);
+          NS_ENSURE_SUCCESS(result, result);
+        } while (mFlags & NS_DTD_FLAG_MISPLACED_CONTENT);
 
         mBodyContext->mContextTopIndex = -1; 
       }          
@@ -871,6 +875,13 @@ nsresult CNavDTD::HandleToken(CToken* aToken,nsIParser* aParser){
       static eHTMLTags gLegalElements[]={eHTMLTag_table,eHTMLTag_thead,eHTMLTag_tbody,
                                          eHTMLTag_tr,eHTMLTag_td,eHTMLTag_th,eHTMLTag_tfoot};
       if(theToken) {
+        // Don't even try processing misplaced tokens if we're already
+        // handling misplaced content. See bug 269095
+        if (mFlags & NS_DTD_FLAG_IN_MISPLACED_CONTENT) {
+          PushIntoMisplacedStack(theToken);
+          return result;  
+        }
+
         eHTMLTags theParentTag=mBodyContext->Last();
         theTag=(eHTMLTags)theToken->GetTypeID();
         if(FindTagInSet(theTag, gLegalElements,
@@ -2100,7 +2111,8 @@ nsresult CNavDTD::HandleSavedTokens(PRInt32 anIndex) {
       PRInt32  theBadTokenCount   = mMisplacedContent.GetSize();
 
       if(theBadTokenCount > 0) {
-        
+        mFlags |= NS_DTD_FLAG_IN_MISPLACED_CONTENT;
+
         if(mTempContext==nsnull) mTempContext=new nsDTDContext();
 
         CToken*   theToken;
@@ -2173,6 +2185,8 @@ nsresult CNavDTD::HandleSavedTokens(PRInt32 anIndex) {
         mSink->EndContext(anIndex);
         MOZ_TIMER_DEBUGLOG(("Start: Parse Time: CNavDTD::HandleSavedTokensAbove(), this=%p\n", this));
         START_TIMER()
+
+        mFlags &= ~NS_DTD_FLAG_IN_MISPLACED_CONTENT;
       }
     }
     return result;