diff options
author | John MacFarlane <jgm@berkeley.edu> | 2015-07-14 11:28:16 -0700 |
---|---|---|
committer | John MacFarlane <jgm@berkeley.edu> | 2015-07-14 11:28:16 -0700 |
commit | 76fb4d57b9e941870c72f86833648bb5262be737 (patch) | |
tree | f74ca02f3bc15f2e5b2bfd44bf12ae774d185fcc | |
parent | 4de9c6ecf66f27829d226b3ad414823589dacd13 (diff) |
Limit 'start' to 8 digits to avoid undefined behavior (overflows).
This should be added to the spec.
-rw-r--r-- | src/blocks.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/blocks.c b/src/blocks.c index 002f9ad..aac9a2a 100644 --- a/src/blocks.c +++ b/src/blocks.c @@ -400,11 +400,16 @@ static bufsize_t parse_list_marker(cmark_chunk *input, bufsize_t pos, cmark_list } } else if (cmark_isdigit(c)) { int start = 0; + int digits = 0; do { start = (10 * start) + (peek_at(input, pos) - '0'); pos++; - } while (cmark_isdigit(peek_at(input, pos))); + digits++; + // We limit to 9 digits to avoid overflow, + // assuming max int is 2^31 - 1 + // This also seems to be the limit for 'start' in some browsers. + } while (digits < 9 && cmark_isdigit(peek_at(input, pos))); c = peek_at(input, pos); if (c == '.' || c == ')') { |