Array out-of-bounds access leads to segmentation fault in md_build_attribute function

I have found a bug at line 1466 of md4c.c inside the md_build_attribute function. This bug is caused due to the array index, which is raw_off being a large value, leading to a segmentation fault. Below is the stack trace for the bug

#0  0x000000000040cfd6 in md_build_attribute (ctx=0x7fffffffdc60, raw_text=0x42ea68 "http://ple.com> <doe@e![\214ef]\032![e\017 r \001*\035*M\001*\035*hd*q*\252**!*\177", raw_size=0xfffffa30, flags=0x1, attr=0x7fffffffd710, build=0x7fffffffd780) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:1466
#1  0x00000000004177a7 in md_enter_leave_span_a (ctx=0x7fffffffdc60, enter=0x4, type=MD_SPAN_A, dest=0x42ea68 "http://ple.com> <doe@e![\214ef]\032![e\017 r \001*\035*M\001*\035*hd*q*\252**!*\177", dest_size=0xfffffa30, prohibit_escapes_in_dest=0x1, title=0x0, title_size=0x0) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4115
#2  0x0000000000416ce5 in md_process_inlines (ctx=0x7fffffffdc60, lines=0x7fffffffd9b0, n_lines=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4353
#3  0x000000000040cd11 in md_process_normal_block_contents (ctx=0x7fffffffdc60, lines=0x7fffffffd9b0, n_lines=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4641
#4  0x000000000040e576 in md_process_table_cell (ctx=0x7fffffffdc60, cell_type=MD_BLOCK_TD, align=MD_ALIGN_DEFAULT, beg=0x5d0, end=0x61a) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4489
#5  0x000000000040dffd in md_process_table_row (ctx=0x7fffffffdc60, cell_type=MD_BLOCK_TD, beg=0x5cf, end=0x61a, align=0x42f030, col_count=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4534
#6  0x000000000040cc07 in md_process_table_block_contents (ctx=0x7fffffffdc60, col_count=0x1, lines=0x42ed58, n_lines=0x12) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4582
#7  0x000000000040c0df in md_process_leaf_block (ctx=0x7fffffffdc60, block=0x42ed50) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4815
#8  0x0000000000406980 in md_process_all_blocks (ctx=0x7fffffffdc60) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4902
#9  0x000000000040360f in md_process_doc (ctx=0x7fffffffdc60) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:6331
#10 0x00000000004031fb in md_parse (text=0x42e498 "%]\001\001\177\337;un|\200~ u", size=0x7ee, parser=0x7fffffffdf08, userdata=0x7fffffffdf50) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:6399
#11 0x00000000004017f9 in md_html (input=0x42e498 "%]\001\001\177\337;un|\200~ u", input_size=0x7ee, process_output=0x401330 <process_output>, userdata=0x0, parser_flags=0xa6a5a5a5, renderer_flags=0xd5f01ea5) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c-html.c:571

The crashing input is attached below.

The bug has been tested on Ubuntu 20.04 with clang-11 used to build md4c on its latest commit.

array_oob.zip

This bug has been found by fuzzing.

mity / md4c

Array out-of-bounds access leads to segmentation fault in md_build_attribute function #196