Fossil SCM

Fix a possible heap-buffer-overflow in <code>parse_htmlblock()</code> introduced by [1e919d601f774fdb]. This is not related to footnotes but was revealed by fuzzing (case 80cbb6b185807e98a953426af7b1f802c9d13957).

george 2022-04-23 15:56 markdown-footnotes

Commit bc4c5b63117b3d5dc2660245bb17b9be32935236e2f3d799b5248f7f83858fb9

Parent cab8a586ae5062c…

1 file changed +2 -1

~ src/markdown.c

M src/markdown.c

+2 -1

		--- src/markdown.c
		+++ src/markdown.c
		@@ -2108,11 +2108,12 @@
2108	2108	/* the end of the block has been found */
2109	2109	if( strcmp(curtag->text,"html")==0 ){
2110	2110	/* Omit <html> tags */
2111	2111	enum mkd_autolink dummy;
2112	2112	int k = tag_length(data, size, &dummy);
2113		- blob_init(&work, data+k, i-(j+k));
	2113	+ int sz = i - (j+k);
	2114	+ if( sz>0 ) blob_init(&work, data+k, sz);
2114	2115	}else{
2115	2116	blob_init(&work, data, i);
2116	2117	}
2117	2118	if( rndr->make.blockhtml ){
2118	2119	rndr->make.blockhtml(ob, &work, rndr->make.opaque);
2119	2120

	--- src/markdown.c
	+++ src/markdown.c
	@@ -2108,11 +2108,12 @@
2108	/* the end of the block has been found */
2109	if( strcmp(curtag->text,"html")==0 ){
2110	/* Omit <html> tags */
2111	enum mkd_autolink dummy;
2112	int k = tag_length(data, size, &dummy);
2113	blob_init(&work, data+k, i-(j+k));

2114	}else{
2115	blob_init(&work, data, i);
2116	}
2117	if( rndr->make.blockhtml ){
2118	rndr->make.blockhtml(ob, &work, rndr->make.opaque);
2119

	--- src/markdown.c
	+++ src/markdown.c
	@@ -2108,11 +2108,12 @@
2108	/* the end of the block has been found */
2109	if( strcmp(curtag->text,"html")==0 ){
2110	/* Omit <html> tags */
2111	enum mkd_autolink dummy;
2112	int k = tag_length(data, size, &dummy);
2113	int sz = i - (j+k);
2114	if( sz>0 ) blob_init(&work, data+k, sz);
2115	}else{
2116	blob_init(&work, data, i);
2117	}
2118	if( rndr->make.blockhtml ){
2119	rndr->make.blockhtml(ob, &work, rndr->make.opaque);
2120

Fossil SCM

Keyboard Shortcuts