Change types for source map offsets (#174)

* Improve strbuf guarantees Introduce BUFSIZE_MAX macro and make sure that the strbuf implementation can handle strings up to this size. * Abort early if document size exceeds internal limit * Change types for source map offsets Switch to size_t for the public API, making the public headers C89-compatible again. Switch to bufsize_t internally, reducing memory usage and improving performance on 32-bit platforms. * Make parser return NULL on internal index overflow Make S_parser_feed set an error and ignore subsequent chunks if the total input document size exceeds an internal limit. Make cmark_parser_finish return NULL if an error was encountered. Add public API functions to retrieve error code and error message. strbuf overflow in renderers and OOM in parser or renderers still cause an abort.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2016-12-31 02:25:16 +0100
committer: John MacFarlane <jgm@berkeley.edu> 2016-12-30 18:25:16 -0700
commit: 4fbe344df43ed7f60a3d3a53981088334cb709fc (patch)
tree: f7f8264d06cb31024f169fda11c5d72821510c51 /src/blocks.c
parent: c4c1d59ca29aceb1c5919908ac97d9476264fd96 (diff)
1 files changed, 46 insertions, 2 deletions
diff --git a/src/blocks.c b/src/blocks.c
index 1c1d160..c680535 100644
--- a/src/blocks.c
+++ b/src/blocks.c
@@ -96,6 +96,8 @@ cmark_parser *cmark_parser_new_with_mem(int options, cmark_mem *mem) {
   parser->refmap = cmark_reference_map_new(mem);
   parser->root = document;
   parser->current = document;
+  parser->error_code = CMARK_ERR_NONE;
+  parser->total_bytes = 0;
   parser->line_number = 0;
   parser->line_offset = 0;
   parser->offset = 0;
@@ -550,6 +552,20 @@ static void S_parser_feed(cmark_parser *parser, const unsigned char *buffer,
   const unsigned char *skipped;
   static const uint8_t repl[] = {239, 191, 189};
 
+  if (parser->error_code) {
+    return;
+  }
+
+  // Limit maximum document size to BUFSIZE_MAX. This makes sure that we
+  // never create strbufs larger than BUFSIZE_MAX. Unfortunately, the
+  // public API doesn't have an error reporting mechanism, so all we can
+  // do is to abort.
+  if (len > (size_t)(BUFSIZE_MAX - parser->total_bytes)) {
+    parser->error_code = CMARK_ERR_INPUT_TOO_LARGE;
+    return;
+  }
+  parser->total_bytes += (bufsize_t)len;
+
   if (parser->last_buffer_ended_with_cr && *buffer == '\n') {
     // skip NL if last buffer ended with CR ; see #117
     buffer++;
@@ -1266,14 +1282,19 @@ cmark_node *cmark_parser_finish(cmark_parser *parser) {
     cmark_strbuf_clear(&parser->linebuf);
   }
 
+  cmark_strbuf_clear(&parser->curline);
+
+  if (parser->error_code) {
+    cmark_node_free(parser->root);
+    return NULL;
+  }
+
   finalize_document(parser);
 
   if (parser->options & CMARK_OPT_NORMALIZE) {
     cmark_consolidate_text_nodes(parser->root);
   }
 
-  cmark_strbuf_free(&parser->curline);
-
 #if CMARK_DEBUG_NODES
   if (cmark_node_check(parser->root, stderr)) {
     abort();
@@ -1287,3 +1308,26 @@ cmark_parser_get_first_source_extent(cmark_parser *parser)
 {
   return parser->source_map->head;
 }
+
+cmark_err_type cmark_parser_get_error(cmark_parser *parser) {
+  return parser->error_code;
+}
+
+const char *cmark_parser_get_error_message(cmark_parser *parser) {
+  const char *str = NULL;
+
+  switch (parser->error_code) {
+    case CMARK_ERR_OUT_OF_MEMORY:
+      str = "Out of memory";
+      break;
+    case CMARK_ERR_INPUT_TOO_LARGE:
+      str = "Input too large";
+      break;
+    default:
+      str = "Unknown error";
+      break;
+  }
+
+  return str;
+}
+
author	Nick Wellnhofer <wellnhofer@aevum.de>	2016-12-31 02:25:16 +0100
committer	John MacFarlane <jgm@berkeley.edu>	2016-12-30 18:25:16 -0700
commit	4fbe344df43ed7f60a3d3a53981088334cb709fc (patch)
tree	f7f8264d06cb31024f169fda11c5d72821510c51 /src/blocks.c
parent	c4c1d59ca29aceb1c5919908ac97d9476264fd96 (diff)