gumbo: Make sure to use the char* pointer as the hashmap item

flavorjones · flavorjones · commit a17dec461129 · 2025-06-30T13:01:46.000-04:00
Previously we were passing a character string of variable length, but always copying 8 bytes into the item. It's not really a problem if the length of the string is less than 8, but it's more serious if the length is longer than 8. Fixes #3500 Fixes #3508
diff --git a/gumbo-parser/src/string_set.c b/gumbo-parser/src/string_set.c
@@ -8,12 +8,12 @@
 
 static int
 string_compare(const void *a, const void *b, void *udata) {
-  return strcmp((const char *)a, (const char *)b);
+  return strcmp(*(const char **)a, *(const char **)b);
 }
 
 static uint64_t
 string_hash(const void *item, uint64_t seed0, uint64_t seed1) {
-  const char *str = (const char *)item;
+  const char *str = *(const char **)item;
   return hashmap_xxhash3(str, strlen(str), seed0, seed1);
 }
 
@@ -31,11 +31,11 @@ void gumbo_string_set_free(GumboStringSet *set)
 void
 gumbo_string_set_insert(GumboStringSet *set, const char *str)
 {
-  hashmap_set(set, str);
+  hashmap_set(set, &str);
 }
 
 int
 gumbo_string_set_contains(GumboStringSet *set, const char *str)
 {
-  return hashmap_get(set, str) == NULL ? 0 : 1;
+  return hashmap_get(set, &str) == NULL ? 0 : 1;
 }
diff --git a/test/html5/test_attributes.rb b/test/html5/test_attributes.rb
@@ -27,4 +27,20 @@ def test_duplicate_attributes
     assert_equal(676, span.attributes.length, "duplicate attribute should be silently ignored")
     assert_equal("1", span["bb"], "bb attribute should hold the value of the first occurrence")
   end
+
+  # Using long (longer than 8 bytes) attributes exercises the gumbo hashmap implementation.
+  # See https://github.com/sparklemotion/nokogiri/issues/3500
+  def test_duplicate_attributes_long
+    html = +"<span "
+    ("abcdefghijklmnopqrst00".."abcdefghijklmnopqrst99").each do |attr|
+      html << "#{attr}='1' "
+    end
+    ("abcdefghijklmnopqrst00".."abcdefghijklmnopqrst99").each do |attr|
+      html << "#{attr}='2' "
+    end
+    html << ">"
+    span = Nokogiri::HTML5::DocumentFragment.parse(html, max_attributes: 1000).at_css("span")
+
+    assert_equal(100, span.attributes.length, "duplicate attribute should be silently ignored")
+  end
 end if Nokogiri.uses_gumbo?

Original file line number	Diff line number	Diff line change
`@@ -8,12 +8,12 @@`
`8`	`8`
`9`	`9`	`static int`
`10`	`10`	`string_compare(const void a, const void b, void *udata) {`
`11`		`- return strcmp((const char )a, (const char )b);`
	`11`	`+ return strcmp((const char )a, (const char **)b);`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`static uint64_t`
`15`	`15`	`string_hash(const void *item, uint64_t seed0, uint64_t seed1) {`
`16`		`- const char str = (const char )item;`
	`16`	`+ const char str = (const char **)item;`
`17`	`17`	`return hashmap_xxhash3(str, strlen(str), seed0, seed1);`
`18`	`18`	`}`
`19`	`19`
`@@ -31,11 +31,11 @@ void gumbo_string_set_free(GumboStringSet *set)`
`31`	`31`	`void`
`32`	`32`	`gumbo_string_set_insert(GumboStringSet set, const char str)`
`33`	`33`	`{`
`34`		`- hashmap_set(set, str);`
	`34`	`+ hashmap_set(set, &str);`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`int`
`38`	`38`	`gumbo_string_set_contains(GumboStringSet set, const char str)`
`39`	`39`	`{`
`40`		`- return hashmap_get(set, str) == NULL ? 0 : 1;`
	`40`	`+ return hashmap_get(set, &str) == NULL ? 0 : 1;`
`41`	`41`	`}`