Merge pull request #167 from dtldarek/master

Two buffer overflow fixes.
mity · Jan 6, 2022 · eeb32ec · eeb32ec
2 parents a8bb4d3 + b8c31a5
commit eeb32ec
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,10 @@ Changes:
 
 Fixes:
 
+ * [#167](https://github.com/mity/md4c/issues/167):
+   Fix two buffer overflow bugs found using a fuzz testting. Contributed by
+   dtldarek.
+
  * [#163](https://github.com/mity/md4c/issues/163):
    Make HTML renderer to emit `'\n'` after the root tag when in the XHTML mode.
 

diff --git a/src/md4c.c b/src/md4c.c
@@ -2275,7 +2275,7 @@ md_is_inline_link_spec(MD_CTX* ctx, const MD_LINE* lines, int n_lines,
     /* Optional white space with up to one line break. */
     while(off < lines[line_index].end  &&  ISWHITESPACE(off))
         off++;
-    if(off >= lines[line_index].end  &&  ISNEWLINE(off)) {
+    if(off >= lines[line_index].end  &&  (off >= ctx->size  ||  ISNEWLINE(off))) {
         line_index++;
         if(line_index >= n_lines)
             return FALSE;
@@ -5683,6 +5683,7 @@ md_is_container_mark(MD_CTX* ctx, unsigned indent, OFF beg, OFF* p_end, MD_CONTA
         off++;
     }
     if(off > beg  &&
+       off < ctx->size  &&
        (CH(off) == _T('.') || CH(off) == _T(')'))  &&
        (off+1 >= ctx->size || ISBLANK(off+1) || ISNEWLINE(off+1)))
     {