summaryrefslogtreecommitdiff
path: root/src/chunk.h
AgeCommit message (Collapse)Author
2016-06-06cmark: Implement support for custom allocatorsVicent Marti
2016-06-06cmake: Global handler for OOM situationsVicent Marti
2016-06-06buffer: proper safety checks for unbounded memoryVicent Marti
The previous work for unbounded memory usage and overflows on the buffer API had several shortcomings: 1. The total size of the buffer was limited by arbitrarily small precision on the storage type for buffer indexes (typedef'd as `bufsize_t`). This is not a good design pattern in secure applications, particualarly since it requires the addition of helper functions to cast to/from the native `size` types and the custom type for the buffer, and check for overflows. 2. The library was calling `abort` on overflow and memory allocation failures. This is not a good practice for production libraries, since it turns a potential RCE into a trivial, guaranteed DoS to the whole application that is linked against the library. It defeats the whole point of performing overflow or allocation checks when the checks will crash the library and the enclosing program anyway. 3. The default size limits for buffers were essentially unbounded (capped to the precision of the storage type) and could lead to DoS attacks by simple memory exhaustion (particularly critical in 32-bit platforms). This is not a good practice for a library that handles arbitrary user input. Hence, this patchset provides slight (but in my opinion critical) improvements on this area, copying some of the patterns we've used in the past for high throughput, security sensitive Markdown parsers: 1. The storage type for buffer sizes is now platform native (`ssize_t`). Ideally, this would be a `size_t`, but several parts of the code expect buffer indexes to be possibly negative. Either way, switching to a `size` type is an strict improvement, particularly in 64-bit platforms. All the helpers that assured that values cannot escape the `size` range have been removed, since they are superfluous. 2. The overflow checks have been removed. Instead, the maximum size for a buffer has been set to a safe value for production usage (32mb) that can be proven not to overflow in practice. Users that need to parse particularly large Markdown documents can increase this value. A static, compile-time check has been added to ensure that the maximum buffer size cannot overflow on any growth operations. 3. The library no longer aborts on buffer overflow. The CMark library now follows the convention of other Markdown implementations (such as Hoedown and Sundown) and silently handles buffer overflows and allocation failures by dropping data from the buffer. The result is that pathological Markdown documents that try to exploit the library will instead generate truncated (but valid, and safe) outputs. All tests after these small refactorings have been verified to pass. --- NOTE: Regarding 32 bit overflows, generating test cases that crash the library is trivial (any input document larger than 2gb will crash CMark), but most Python implementations have issues with large strings to begin with, so a test case cannot be added to the pathological tests suite, since it's written in Python.
2016-04-09Reformatted.John MacFarlane
2016-01-18Automatic code reformat.John MacFarlane
2015-12-28Reformat sources.John MacFarlane
2015-12-19Use fully qualified versions of constants.John MacFarlane
2015-08-10Don't include static in CMARK_INLINE.John MacFarlane
ALso don't set CMARK_INLINE to __inline if we're compiling under MSVC in cplusplus mode.
2015-08-10Fix MSVC inline errors when cmark is included in other sources that don't ↵Kevin Wojniak
have the same set of disabled warnings
2015-07-27Use clang-format, llvm style, for formatting.John MacFarlane
* Reformatted all source files. * Added 'format' target to Makefile. * Removed 'astyle' target. * Updated .editorconfig.
2015-06-07Helper to safely call strlenNick Wellnhofer
2015-06-07Convert code base to strbuf_tNick Wellnhofer
There are probably a couple of places I missed. But this will only be a problem if we use a 64-bit bufsize_t at some point. Then, we'll get warnings from -Wshorten-64-to-32.
2015-06-06astyle formatting changes.John MacFarlane
2015-05-30Fix for UBSAN noteJeroen Ooms
2015-05-14Allow NULL value in string settersNick Wellnhofer
Supersedes pull request #34.
2015-05-14Store link URL and title as cmark_chunkNick Wellnhofer
2014-12-29Added cmark_ prefix to functions in cmark_ctype.John MacFarlane
2014-12-29Added cmark_ctype.h with locale-independent isspace, ispunct, etc.John MacFarlane
Otherwise cmark's behavior varies unpredictably with the locale. `is_punctuation` in utf8.h has also been adjusted so that everything that counts all ASCII symbol characters count as punctuation, even though some are not in P* character classes.
2014-12-15Re-added cmark_ prefix to strbuf and chunk.John MacFarlane
Reverts 225d720.
2014-12-13Removed cmark_ prefix on chunk and strbuf.John MacFarlane
This isn't needed any more since we don't expose these in the API.
2014-11-28Always define short name macros for private symbolsNick Wellnhofer
Since chunk.h and buffer.h are private now, there's no need to optionally disable the short name macros.
2014-11-18Add node constructor and accessors to the public APINick Wellnhofer
The approach I'm taking is to copy inline literals internally to NULL-terminated C strings if requested by an accessor. This allows to return a 'const char *' that doesn't have to be freed by the caller.
2014-11-16Cast void pointers explicitlyNick Wellnhofer
Needed for C++ compatibility.
2014-11-16Rename include guards for consistency and to avoid reserved identifiersCraig Barnes
2014-11-12Prefix names in chunk.hNick Wellnhofer
2014-11-12Prefix names in buffer.hNick Wellnhofer
2014-10-06- Use of calloc instead of malloctchetch
- Test for NULL after allocation
2014-09-09Rename to strbufVicent Marti
2014-09-09Add chunk.hVicent Marti