search

mity / md4c

C Markdown parser. Fast. SAX-like interface. Compliant to CommonMark specification.
MIT License
776 stars 146 forks source link

afl-fuzz: crash in md_process_table_cell() #51

Closed mity closed 5 years ago

mity commented 5 years ago

With --github, the following minimized test case leads to seg. fault in md_process_table_cell():

[|]: u

[|]: u
---|
mity commented 5 years ago

Little more minimized version:

[|]: u

[|]
---|
mity commented 5 years ago

Finally I can see the culprit.

During the line-level analysis, we do not yet built the reference link definition database, therefore [|] is not seen as a shortcut reference link. Therefore in the context of md_is_table_row(), the pipe is seen as a table cell boundary char and the two last lines can form a table.

But later, when the table is finally rendered, i.e. in the context of md_process_table_row(), the ref. link def. database is already built, the pipe is seen as link label and not as a table cell boundary.

This inconsistency leads to the crash.