| Age | Commit message (Collapse) | Author | 
|---|
|  |  | 
|  |  | 
|  |  | 
|  | Reduce the storage size for the `cmark_code` struct | 
|  |  | 
|  | Save node information in flags instead of using one boolean for each
property. | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | The previous work for unbounded memory usage and overflows on the buffer
API had several shortcomings:
1. The total size of the buffer was limited by arbitrarily small
precision on the storage type for buffer indexes (typedef'd as
`bufsize_t`). This is not a good design pattern in secure applications,
particualarly since it requires the addition of helper functions to cast
to/from the native `size` types and the custom type for the buffer, and
check for overflows.
2. The library was calling `abort` on overflow and memory allocation
failures. This is not a good practice for production libraries, since it
turns a potential RCE into a trivial, guaranteed DoS to the whole
application that is linked against the library. It defeats the whole
point of performing overflow or allocation checks when the checks will
crash the library and the enclosing program anyway.
3. The default size limits for buffers were essentially unbounded
(capped to the precision of the storage type) and could lead to DoS
attacks by simple memory exhaustion (particularly critical in 32-bit
platforms). This is not a good practice for a library that handles
arbitrary user input.
Hence, this patchset provides slight (but in my opinion critical)
improvements on this area, copying some of the patterns we've used in
the past for high throughput, security sensitive Markdown parsers:
1. The storage type for buffer sizes is now platform native (`ssize_t`).
Ideally, this would be a `size_t`, but several parts of the code expect
buffer indexes to be possibly negative. Either way, switching to a
`size` type is an strict improvement, particularly in 64-bit platforms.
All the helpers that assured that values cannot escape the `size` range
have been removed, since they are superfluous.
2. The overflow checks have been removed. Instead, the maximum size for
a buffer has been set to a safe value for production usage (32mb) that
can be proven not to overflow in practice. Users that need to parse
particularly large Markdown documents can increase this value. A static,
compile-time check has been added to ensure that the maximum buffer size
cannot overflow on any growth operations.
3. The library no longer aborts on buffer overflow.  The CMark library
now follows the convention of other Markdown implementations (such as
Hoedown and Sundown) and silently handles buffer overflows and
allocation failures by dropping data from the buffer. The result is
that pathological Markdown documents that try to exploit the library
will instead generate truncated (but valid, and safe) outputs.
All tests after these small refactorings have been verified to pass.
---
NOTE: Regarding 32 bit overflows, generating test cases that crash the
library is trivial (any input document larger than 2gb will crash
CMark), but most Python implementations have issues with large strings
to begin with, so a test case cannot be added to the pathological tests
suite, since it's written in Python. | 
|  | Fix ctypes in Python FFI calls | 
|  | Fix character type detection in commonmark.c | 
|  | This didn't cause problems so far because
- all types are 32-bit on 32-bit systems and
- arguments are passed in registers on x86-64.
The wrong types could cause crashes on other platforms, though. | 
|  | - Implement cmark_isalpha.
- Check for ASCII character before implicit cast to char.
- Use internal ctype functions in commonmark.c.
Fixes test failures on Windows and undefined behavior. | 
|  | We don't want a blank line before a code block when it's
the first thing in a list item. | 
|  | In the commonmark writer we separate lists, and lists and
indented code, using a dummy HTML comment rather than two
blank lines (this is more portable).
So in evaluating the round-trip tests, we now strip out
these comments.
We also normalize HTML to avoid issues having to do with
line breaks. | 
|  | This replaces the old use of simple shell scripts.
It is much faster, and more flexible.  (We will be able
to do custom normalization and skip certain tests.) | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | We generally want this option to prohibit any breaking
in things like headers (not just wraps, but softbreaks). | 
|  | Previously they actually ran cmark instead of the round-trip
version, since there was a bug in setting the ROUNDTRIP
variable.
Now round trip tests fail!  This was unnoticed before.
See #131. | 
|  | This is an alternate solution for pull request #132,
which introduced a new warning on the comparison:
    latex.c:191:20: warning: comparison of integers of
      different signs: 'size_t' (aka 'unsigned long') and 'bufsize_t'
      (aka 'int') [-Wsign-compare]
    if (realurllen == link_text->as.literal.len &&
        ~~~~~~~~~~ ^  ~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|  | inlines: Remove unused variable "link_text" | 
|  | Changed type from int to size_t to fix implicit type conversion warning | 
|  |  | 
|  |  | 
|  | Add 2016 to copyright | 
|  | I thought I had an outdated version of the binary because it printed 2015 for
the version string. | 
|  | Fix tests under MinGW | 
|  | - Fix PATH for api_test, see:
  https://cmake.org/pipermail/cmake/2009-May/029423.html
- DLL is named libcmark.dll under MinGW. | 
|  | in cmark.h and its man page. Closes #124. | 
|  | returned by cmark_render_html etc.  Closes #124. | 
|  |  | 
|  |  | 
|  | Previously we did this manually, which introduces many
places where errors can creep in. | 
|  | This change allows us to pass the new test introduced in
75f231503d2b5854f1ff517402d2751811295bf7.
Previously when a list marker was followed only by spaces,
cmark expected the following content to be indented by
the same number of spaces.  But in this case we should
treat the line just like a blank line and set list padding
accordingly. | 
|  |  | 
|  | - Extend CMARK_OPT_NOBREAKS to all renderers and add `--nobreaks`.
- Do not autowrap, regardless of width parameter, if CMARK_OPT_NOBREAKS
  is set.
- Fixed CMARK_OPT_HARDBREAKS for LaTeX and man renderers.
- Ensure that no auto-wrapping occurs if CMARK_OPT_NOBREAKS is enabled,
  or if output is CommonMark and CMARK_OPT_HARDBREAKS is enabled.
- Updated man pages. | 
|  | Add library option to render softbreaks as spaces | 
|  | Add first regression tests | 
|  | I think it's a good idea to add tests after fixing bugs. This is really
easy using the spec test infrastructure. | 
|  | Set stdin to binary mode on Windows | 
|  |  | 
|  | Fixes EOLs when reading from stdin.
Fully fixes issue #113. | 
|  | Replaced nodes are not automatically freed. | 
|  |  | 
|  |  |