1 files changed, 20 insertions, 17 deletions

diff --git a/src/buffer.h b/src/buffer.h
index 6fd0cae..ad4f341 100644
--- a/src/buffer.h
+++ b/src/buffer.h
@@ -5,13 +5,15 @@
 #include <stdarg.h>
 #include <string.h>
 #include <limits.h>
+#include <unistd.h>
+#include <stdbool.h>
 #include "config.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-typedef int bufsize_t;
+typedef ssize_t bufsize_t;
 
 typedef struct {
   unsigned char *ptr;
@@ -22,7 +24,22 @@ extern unsigned char cmark_strbuf__initbuf[];
 
 #define GH_BUF_INIT                                                            \
   { cmark_strbuf__initbuf, 0, 0 }
-#define BUFSIZE_MAX INT_MAX
+
+/*
+ * Maximum size for memory storage on any given `cmark_strbuf` object.
+ *
+ * This is a "safe" value to prevent unbounded memory growth when
+ * parsing arbitrarily large (and potentially malicious) documents.
+ *
+ * It is currently set to 32mb, which is a reasonable default for
+ * production applications. If you need to parse documents larger than
+ * that, you can increase this value up to `SSIZE_MAX / 2` (which in
+ * practice resolves to 1/4th of the total address space for the program).
+ *
+ * Anything larger than that is a security threat and hence static checks
+ * will prevent CMark from compiling.
+ */
+#define BUFSIZE_MAX (32 * 1024 * 1024)
 
 /**
  * Initialize a cmark_strbuf structure.
@@ -35,7 +52,7 @@ void cmark_strbuf_init(cmark_strbuf *buf, bufsize_t initial_size);
 /**
  * Grow the buffer to hold at least `target_size` bytes.
  */
-void cmark_strbuf_grow(cmark_strbuf *buf, bufsize_t target_size);
+bool cmark_strbuf_grow(cmark_strbuf *buf, bufsize_t target_size);
 
 void cmark_strbuf_free(cmark_strbuf *buf);
 void cmark_strbuf_swap(cmark_strbuf *buf_a, cmark_strbuf *buf_b);
@@ -72,20 +89,6 @@ void cmark_strbuf_trim(cmark_strbuf *buf);
 void cmark_strbuf_normalize_whitespace(cmark_strbuf *s);
 void cmark_strbuf_unescape(cmark_strbuf *s);
 
-/* Print error and abort. */
-void cmark_strbuf_overflow_err(void);
-
-static CMARK_INLINE bufsize_t cmark_strbuf_check_bufsize(size_t size) {
-  if (size > BUFSIZE_MAX) {
-    cmark_strbuf_overflow_err();
-  }
-  return (bufsize_t)size;
-}
-
-static CMARK_INLINE bufsize_t cmark_strbuf_safe_strlen(const char *str) {
-  return cmark_strbuf_check_bufsize(strlen(str));
-}
-
 #ifdef __cplusplus
 }
 #endif