From 76fb4d57b9e941870c72f86833648bb5262be737 Mon Sep 17 00:00:00 2001 From: John MacFarlane Date: Tue, 14 Jul 2015 11:28:16 -0700 Subject: Limit 'start' to 8 digits to avoid undefined behavior (overflows). This should be added to the spec. --- src/blocks.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/blocks.c b/src/blocks.c index 002f9ad..aac9a2a 100644 --- a/src/blocks.c +++ b/src/blocks.c @@ -400,11 +400,16 @@ static bufsize_t parse_list_marker(cmark_chunk *input, bufsize_t pos, cmark_list } } else if (cmark_isdigit(c)) { int start = 0; + int digits = 0; do { start = (10 * start) + (peek_at(input, pos) - '0'); pos++; - } while (cmark_isdigit(peek_at(input, pos))); + digits++; + // We limit to 9 digits to avoid overflow, + // assuming max int is 2^31 - 1 + // This also seems to be the limit for 'start' in some browsers. + } while (digits < 9 && cmark_isdigit(peek_at(input, pos))); c = peek_at(input, pos); if (c == '.' || c == ')') { -- cgit v1.2.3