From 45e49ae3015c833da53f4d5aed78fa860944e4e1 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sat, 9 Mar 2019 16:17:26 -0800
Subject: [PATCH] Fix two exponential regex backtracking vulnerabilities

ESCAPED_CHAR already matches `\\`, so matching it again in another
alternative was just causing exponential complexity explosion.

Fixes #157.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 lib/inlines.js | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/lib/inlines.js b/lib/inlines.js
index 762f477f..f586d557 100644
--- a/lib/inlines.js
+++ b/lib/inlines.js
@@ -45,8 +45,7 @@ var reLinkTitle = new RegExp(
         '|' +
         '\\((' + ESCAPED_CHAR + '|[^)\\x00])*\\))');
 
-var reLinkDestinationBraces = new RegExp(
-    '^(?:[<](?:[^<>\\n\\\\\\x00]' + '|' + ESCAPED_CHAR + '|' + '\\\\)*[>])');
+var reLinkDestinationBraces = /^(?:<(?:[^<>\n\\\x00]|\\.)*\\?>)/;
 
 var reEscapable = new RegExp('^' + ESCAPABLE);
 
@@ -78,8 +77,7 @@ var reInitialSpace = /^ */;
 
 var reSpaceAtEndOfLine = /^ *(?:\n|$)/;
 
-var reLinkLabel = new RegExp('^\\[(?:[^\\\\\\[\\]]|' + ESCAPED_CHAR +
-  '|\\\\){0,1000}\\]');
+var reLinkLabel = /^\[(?:[^\\\[\]]|\\.){0,1000}\]/;
 
 // Matches a string of non-special characters.
 var reMain = /^[^\n`\[\]\\!<&*_'"]+/m;
@@ -524,9 +522,7 @@ var parseLinkDestination = function() {
 // Attempt to parse a link label, returning number of characters parsed.
 var parseLinkLabel = function() {
     var m = this.match(reLinkLabel);
-    // Note:  our regex will allow something of form [..\];
-    // we disallow it here rather than using lookahead in the regex:
-    if (m === null || m.length > 1001 || /[^\\]\\\]$/.exec(m)) {
+    if (m === null || m.length > 1001) {
         return 0;
     } else {
         return m.length;