From cb1cd888cce0cae20a33663d6d17ef7630c5d4d7 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Mon, 11 Nov 2019 12:52:35 -0800
Subject: Fix entity parser (and api test) to respect length limit on numeric
 entities.

---
 src/inlines.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/inlines.c b/src/inlines.c
index 2a84242..263a39b 100644
--- a/src/inlines.c
+++ b/src/inlines.c
@@ -784,13 +784,18 @@ static cmark_node *handle_backslash(subject *subj) {
 static cmark_node *handle_entity(subject *subj) {
   cmark_strbuf ent = CMARK_BUF_INIT(subj->mem);
   bufsize_t len;
+  int length_limit = 256;
 
   advance(subj);
 
   len = houdini_unescape_ent(&ent, subj->input.data + subj->pos,
                              subj->input.len - subj->pos);
 
-  if (len == 0)
+  if (peek_char(subj) == '#') {
+     length_limit = 9; // includes #, optional x for hex, and ;
+  }
+
+  if (len <= 0 || len > length_limit)
     return make_str(subj, subj->pos - 1, subj->pos - 1, cmark_chunk_literal("&"));
 
   subj->pos += len;
-- 
cgit v1.2.3