summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn MacFarlane <jgm@berkeley.edu>2015-07-14 11:28:16 -0700
committerJohn MacFarlane <jgm@berkeley.edu>2015-07-14 11:28:16 -0700
commit76fb4d57b9e941870c72f86833648bb5262be737 (patch)
treef74ca02f3bc15f2e5b2bfd44bf12ae774d185fcc
parent4de9c6ecf66f27829d226b3ad414823589dacd13 (diff)
Limit 'start' to 8 digits to avoid undefined behavior (overflows).
This should be added to the spec.
-rw-r--r--src/blocks.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/blocks.c b/src/blocks.c
index 002f9ad..aac9a2a 100644
--- a/src/blocks.c
+++ b/src/blocks.c
@@ -400,11 +400,16 @@ static bufsize_t parse_list_marker(cmark_chunk *input, bufsize_t pos, cmark_list
}
} else if (cmark_isdigit(c)) {
int start = 0;
+ int digits = 0;
do {
start = (10 * start) + (peek_at(input, pos) - '0');
pos++;
- } while (cmark_isdigit(peek_at(input, pos)));
+ digits++;
+ // We limit to 9 digits to avoid overflow,
+ // assuming max int is 2^31 - 1
+ // This also seems to be the limit for 'start' in some browsers.
+ } while (digits < 9 && cmark_isdigit(peek_at(input, pos)));
c = peek_at(input, pos);
if (c == '.' || c == ')') {