Skip to content

md4c

Jump to bottom
Suresoft-GLaDOS edited this page May 26, 2023 · 8 revisions

#1

Link : https://github.com/mity/md4c/commit/e6e2ea4c5a5b972779d9222c4f66b5a693444ce2
Description: NULL Pointer Dereference
CVE Info: CVE-2018-12102

At md4c/md4c.c

@@ -5641,8 +5641,7 @@ redo:
     }
     /* Check whether we are table continuation. */
+    if(pivot_line->type == MD_LINE_TABLE  &&  md_is_table_row(ctx, off, &off)  &&
+       n_parents == ctx->n_containers)
-    if(pivot_line->type == MD_LINE_TABLE  &&  md_is_table_row(ctx, off, &off))
     {
         line->type = MD_LINE_TABLE;
         goto done;

Tags
#Omission #Multi-line #Modified #CVE

#2

Link : https://github.com/mity/md4c/commit/4ef024fbb7e739a5861619726b45c7f6d157b25e
Description: Out-of-bounds Read
CVE Info: CVE-2018-11546

At md4c/md4c.c

@@ -3961,10 +3961,6 @@ md_process_inlines(MD_CTX* ctx, const MD_LINE* lines, int n_lines)
                                 md_mark_get_ptr(ctx, title_mark - ctx->marks), title_mark->prev));
                     /* link/image closer may span multiple lines. */
+                    if(mark->ch == ']') {
+                        while(mark->end > line->end)
+                            line++;
+                    }
                     break;
                 }

Tags
#Omission #Multi-line #Added #CVE

#3

Link : https://github.com/mity/md4c/commit/bf022cb6569457598fb37b266a4129d1aa01211b
Description: Out-of-bounds Write
CVE Info: CVE-2018-11536

At md4c/md4c.c

@@ -3490,7 +3490,7 @@ static int
 md_split_simple_pairing_mark(MD_CTX* ctx, int mark_index, SZ n)
 {
     MD_MARK* mark = &ctx->marks[mark_index];
+    int new_mark_index = mark_index + (mark->end - mark->beg - n);
-    int new_mark_index = mark_index + (mark->end - mark->beg - 1);
     MD_MARK* dummy = &ctx->marks[new_mark_index];
     MD_ASSERT(mark->end - mark->beg > n);

Tags
#Logical-error #Single-line #Modified #CVE

#4

Link : https://github.com/mity/md4c/commit/da5821ae0ddb0e0cb853455dd018a7592a35151b
Description: Fix the loop end condition (md_link_label_cmp)

At src/md4c.c

@@ -1589,6 +1589,8 @@ md_link_label_cmp(const CHAR* a_label, SZ a_size, const CHAR* b_label, SZ b_size
 {
     OFF a_off;
     OFF b_off;
-    int a_reached_end = FALSE;
-    int b_reached_end = FALSE;
     MD_UNICODE_FOLD_INFO a_fi = { { 0 }, 0 };
     MD_UNICODE_FOLD_INFO b_fi = { { 0 }, 0 };
     OFF a_fi_off = 0;
@@ -1597,17 +1599,18 @@ md_link_label_cmp(const CHAR* a_label, SZ a_size, const CHAR* b_label, SZ b_size
     a_off = md_skip_unicode_whitespace(a_label, 0, a_size);
     b_off = md_skip_unicode_whitespace(b_label, 0, b_size);
+    while(a_off < a_size || a_fi_off < a_fi.n_codepoints ||
+          b_off < b_size || b_fi_off < b_fi.n_codepoints)
-    while(!a_reached_end || !b_reached_end)
     {
         /* If needed, load fold info for next char. */
         if(a_fi_off >= a_fi.n_codepoints) {
             a_fi_off = 0;
             a_off = md_link_label_cmp_load_fold_info(a_label, a_off, a_size, &a_fi);
-            a_reached_end = (a_off >= a_size);
         }
         if(b_fi_off >= b_fi.n_codepoints) {
             b_fi_off = 0;
             b_off = md_link_label_cmp_load_fold_info(b_label, b_off, b_size, &b_fi);
-            b_reached_end = (b_off >= b_size);
         }
         cmp = b_fi.codepoints[b_fi_off] - a_fi.codepoints[a_fi_off];

Tags
#Logical-error #Invalid-condition #Multi-line #Modified

#5

Link : https://github.com/mity/md4c/commit/002f76c9750cc13315d4b23e3228cb09e548320a
Description: Skip [...] used as a reference link/image label (md_resolve_links)

At src/md4c.c

@@ -3527,7 +3527,6 @@ md_resolve_links(MD_CTX* ctx, const MD_LINE* lines, int n_lines)
                 /* Do not analyze the label as a standalone link in the next
                  * iteration. */
+                next_index = ctx->marks[next_index].prev;
             }
         } else {
             if(closer->end < ctx->size  &&  CH(closer->end) == _T('(')) {

Tags
#Omission #Single-line #Added

#6

Link : https://github.com/mity/md4c/commit/c595c2ed0076616856634332c35a7a3c851b287c
Description: Fix off by 1 error (md_process_verbatim_block_contents)

At src/md4c.c

@@ -4579,7 +4579,7 @@ md_process_verbatim_block_contents(MD_CTX* ctx, MD_TEXTTYPE text_type, const MD_
         MD_ASSERT(indent >= 0);
         /* Output code indentation. */
+        while(indent > (int) indent_chunk_size) {
-        while(indent > (int) SIZEOF_ARRAY(indent_chunk_str)) {
             MD_TEXT(text_type, indent_chunk_str, indent_chunk_size);
             indent -= indent_chunk_size;
         }

Tags
#Invalid-condition #Single-line #Modified

#7

Link : https://github.com/mity/md4c/commit/5d7c35973e5d06b46ca21b5b6e292c56dba7ca23
Description: Detect correctly opener chain when resolving the range (md_analyze_emph)

At md4c/md4c.c

@@ -3725,7 +3725,7 @@ md_analyze_emph(MD_CTX* ctx, int mark_index)
         if(opener != NULL) {
             SZ opener_size = opener->end - opener->beg;
             SZ closer_size = mark->end - mark->beg;
+            MD_MARKCHAIN* opener_chain = md_mark_chain(ctx, opener_index);
-            MD_MARKCHAIN* opener_chain = md_mark_chain(ctx, mark_index);
             if(opener_size > closer_size) {
                 opener_index = md_split_emph_mark(ctx, opener_index, closer_size);

Tags
#Logical-error #Single-line #Modified

#8

Link : https://github.com/mity/md4c/commit/0354e1ab5a453e9913dcd5f87c2cfe9a2510dfda
Description: Ordered list mark requires at least one digit (md_is_container_mark)

At md4c/md4c.c

@@ -5486,7 +5486,7 @@ md_is_container_mark(MD_CTX* ctx, unsigned indent, OFF beg, OFF* p_end, MD_CONTA
         p_container->start = p_container->start * 10 + CH(off) - _T('0');
         off++;
     }
+    if(off > beg  &&  off+1 < ctx->size  &&
-    if(off+1 < ctx->size  &&
        (CH(off) == _T('.') || CH(off) == _T(')'))  &&
        (ISBLANK(off+1) || ISNEWLINE(off+1)))
     {

Tags
#Invalid-condition #Single-line #Modified

#9

Link : https://github.com/mity/md4c/commit/ce8b5d9440f3c4087fab63fe80b5f5a316bdbb0c
Description: Blockquote with blank line can interrupt a paragraph (md_analyze_line)

At md4c/md4c.c

@@ -5700,7 +5700,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
            md_is_container_mark(ctx, line->indent, off, &off, &container))
         {
             if(pivot_line->type == MD_LINE_TEXT  &&  n_parents == ctx->n_containers  &&
+                        (off >= ctx->size || ISNEWLINE(off))  &&  container.ch != _T('>'))
-                        (off >= ctx->size || ISNEWLINE(off)))
             {
                 /* Noop. List mark followed by a blank line cannot interrupt a paragraph. */
             } else if(pivot_line->type == MD_LINE_TEXT  &&  n_parents == ctx->n_containers  &&

Tags
#Invalid-condition #Single-line #Modified

#10

Link : https://github.com/mity/md4c/commit/952791318f60437ac4724b43021113e049b171f7
Description: Reset ctx->current_block properly when undoing complete block from ctx->block_bytesp[]

At md4c/md4c.c

@@ -4739,7 +4739,6 @@ md_consume_link_reference_definitions(MD_CTX* ctx)
             /* Remove complete block. */
             ctx->n_block_bytes -= n * sizeof(MD_LINE);
             ctx->n_block_bytes -= sizeof(MD_BLOCK);
+            ctx->current_block = NULL;
         } else {
             /* Remove just some initial lines from the block. */
             memmove(lines, lines + n, (n_lines - n) * sizeof(MD_LINE));

Tags
#Omission #Single-line #Added

HOME

TAGS

Lines

Patch Type

Error Type

#CVE

#Address_Sanitizer

Clone this wiki locally