sdaveb/cmark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed use-after-free bug.

Browse Source 
This arose when a paragraph containing only reference links and
blank space was finalized.  Finalization would remove the
node.  `finalize` returns the parent node, but the problem
arose because we had both `cur` and `parser->current`, and
only one was being updated.  Solution:  remove `cur`, which is
a holdover from before we had `parser->current`.

I believe this will close #9 -- @JordanMilne can you test and confirm?
This commit is contained in:
John MacFarlane 2015-02-19 09:16:49 -08:00
parent 17e4a8203d
commit aad831e87c
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/blocks.c
View File

@ -523,7 +523,6 @@ S_process_line(cmark_parser *parser, const unsigned char *buffer, size_t bytes)
cmark_list *data = NULL;
bool all_matched = true;
cmark_node* container;
cmark_node* cur = parser->current;
bool blank = false;
int first_nonspace;
int indent;
@ -659,7 +658,7 @@ S_process_line(cmark_parser *parser, const unsigned char *buffer, size_t bytes)
blank = peek_at(&input, first_nonspace) == '\n';
if (indent >= CODE_INDENT) {
if (cur->type != NODE_PARAGRAPH && !blank) {
if (parser->current->type != NODE_PARAGRAPH && !blank) {
offset += CODE_INDENT;
container = add_child(parser, container, NODE_CODE_BLOCK, offset + 1);
container->as.code.fenced = false;
@ -809,20 +808,20 @@ S_process_line(cmark_parser *parser, const unsigned char *buffer, size_t bytes)
cont = cont->parent;
}
if (cur != last_matched_container &&
if (parser->current != last_matched_container &&
container == last_matched_container &&
!blank &&
cur->type == NODE_PARAGRAPH &&
cmark_strbuf_len(&cur->string_content) > 0) {
parser->current->type == NODE_PARAGRAPH &&
cmark_strbuf_len(&parser->current->string_content) > 0) {
add_line(cur, &input, offset);
add_line(parser->current, &input, offset);
} else { // not a lazy continuation
// finalize any blocks that were not matched and set cur to container:
while (cur != last_matched_container) {
cur = finalize(parser, cur);
assert(cur != NULL);
while (parser->current != last_matched_container) {
parser->current = finalize(parser, parser->current);
assert(parser->current != NULL);
}
if (container->type == NODE_CODE_BLOCK ||