search

mity / md4c

C Markdown parser. Fast. SAX-like interface. Compliant to CommonMark specification.
MIT License
776 stars 146 forks source link

prevent buffer overflow in md_is_entity_str #46

Closed ec1oud closed 5 years ago

ec1oud commented 5 years ago

Found by fuzzing: https://bugreports.qt.io/browse/QTBUG-72937 CH(off) reads past the end of ctx->text if off >= ctx->size

codecov[bot] commented 5 years ago

Codecov Report

Merging #46 into master will not change coverage. The diff coverage is 100%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master      #46   +/-   ##
=======================================
  Coverage   92.76%   92.76%           
=======================================
  Files           1        1           
  Lines        2542     2542           
=======================================
  Hits         2358     2358           
  Misses        184      184
Impacted Files Coverage Δ
md4c/md4c.c 92.76% <100%> (ø) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 7d8f253...88cc00e. Read the comment docs.

codecov[bot] commented 5 years ago

Codecov Report

Merging #46 into master will not change coverage. The diff coverage is 100%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master      #46   +/-   ##
=======================================
  Coverage   92.76%   92.76%           
=======================================
  Files           1        1           
  Lines        2542     2542           
=======================================
  Hits         2358     2358           
  Misses        184      184
Impacted Files Coverage Δ
md4c/md4c.c 92.76% <100%> (ø) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 7d8f253...88cc00e. Read the comment docs.

mity commented 5 years ago

Thanks for it.

But I believe the provided patch is not correct: The argument text in md_is_entity_str() can point anywhere into the document so comparing the offset in this string with ctx->size is not in general the right thing to do.

I successfully reproduced the issue and opened #47 for it. Working on it.

mity commented 5 years ago

Should be fixed by da511fa.