Fix entity parser (and api test) to respect length limit on numeric entities.

2 files changed, 9 insertions, 4 deletions

diff --git a/api_test/main.c b/api_test/main.c
index 83afbff..9b7ba41 100644
--- a/api_test/main.c
+++ b/api_test/main.c
@@ -837,11 +837,11 @@ static void numeric_entities(test_batch_runner *runner) {
                   "Valid numeric entity 0x10FFFF");
   test_md_to_html(runner, "&#x110000;", "<p>" UTF8_REPL "</p>\n",
                   "Invalid numeric entity 0x110000");
-  test_md_to_html(runner, "&#x80000000;", "<p>" UTF8_REPL "</p>\n",
+  test_md_to_html(runner, "&#x80000000;", "<p>&amp;#x80000000;</p>\n",
                   "Invalid numeric entity 0x80000000");
-  test_md_to_html(runner, "&#xFFFFFFFF;", "<p>" UTF8_REPL "</p>\n",
+  test_md_to_html(runner, "&#xFFFFFFFF;", "<p>&amp;#xFFFFFFFF;</p>\n",
                   "Invalid numeric entity 0xFFFFFFFF");
-  test_md_to_html(runner, "&#99999999;", "<p>" UTF8_REPL "</p>\n",
+  test_md_to_html(runner, "&#99999999;", "<p>&amp;#99999999;</p>\n",
                   "Invalid numeric entity 99999999");
 
   test_md_to_html(runner, "&#;", "<p>&amp;#;</p>\n",
diff --git a/src/inlines.c b/src/inlines.c
index 2a84242..263a39b 100644
--- a/src/inlines.c
+++ b/src/inlines.c
@@ -784,13 +784,18 @@ static cmark_node *handle_backslash(subject *subj) {
 static cmark_node *handle_entity(subject *subj) {
   cmark_strbuf ent = CMARK_BUF_INIT(subj->mem);
   bufsize_t len;
+  int length_limit = 256;
 
   advance(subj);
 
   len = houdini_unescape_ent(&ent, subj->input.data + subj->pos,
                              subj->input.len - subj->pos);
 
-  if (len == 0)
+  if (peek_char(subj) == '#') {
+     length_limit = 9; // includes #, optional x for hex, and ;
+  }
+
+  if (len <= 0 || len > length_limit)
     return make_str(subj, subj->pos - 1, subj->pos - 1, cmark_chunk_literal("&"));
 
   subj->pos += len;