From bef240d45b5eda3a584ca1a495f54cb17ff8895f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 7 Jun 2015 16:54:37 +0200
Subject: Check for overflow in S_parser_feed

Guard against too large chunks passed via the API.
---
 src/blocks.c | 9 ++++++---
 src/buffer.h | 8 ++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/blocks.c b/src/blocks.c
index 72b1ca5..a3ac712 100644
--- a/src/blocks.c
+++ b/src/blocks.c
@@ -497,6 +497,7 @@ S_parser_feed(cmark_parser *parser, const unsigned char *buffer, size_t len,
 	while (buffer < end) {
 		const unsigned char *eol;
 		size_t line_len;
+		bufsize_t bufsize;
 
 		for (eol = buffer; eol < end; ++eol) {
 			if (S_is_line_end_char(*eol))
@@ -514,17 +515,19 @@ S_parser_feed(cmark_parser *parser, const unsigned char *buffer, size_t len,
 		} else if (eof) {
 			line_len = end - buffer;
 		} else {
-			cmark_strbuf_put(parser->linebuf, buffer, end - buffer);
+			bufsize = cmark_strbuf_check_bufsize(end - buffer);
+			cmark_strbuf_put(parser->linebuf, buffer, bufsize);
 			break;
 		}
 
+		bufsize = cmark_strbuf_check_bufsize(line_len);
 		if (parser->linebuf->size > 0) {
-			cmark_strbuf_put(parser->linebuf, buffer, line_len);
+			cmark_strbuf_put(parser->linebuf, buffer, bufsize);
 			S_process_line(parser, parser->linebuf->ptr,
 			               parser->linebuf->size);
 			cmark_strbuf_clear(parser->linebuf);
 		} else {
-			S_process_line(parser, buffer, line_len);
+			S_process_line(parser, buffer, bufsize);
 		}
 
 		buffer += line_len;
diff --git a/src/buffer.h b/src/buffer.h
index 9c850e4..f9696e0 100644
--- a/src/buffer.h
+++ b/src/buffer.h
@@ -74,6 +74,14 @@ void cmark_strbuf_unescape(cmark_strbuf *s);
 /* Print error and abort. */
 void cmark_strbuf_overflow_err(void);
 
+static inline bufsize_t
+cmark_strbuf_check_bufsize(size_t size) {
+	if (size > BUFSIZE_MAX) {
+		cmark_strbuf_overflow_err();
+	}
+	return (bufsize_t)size;
+}
+
 #ifdef __cplusplus
 }
 #endif
-- 
cgit v1.2.3