Commit eeb32ecc9ed35615226cb11f112d34b46c9b204a

Martin Mitáš 2022-01-06T16:16:45

Merge pull request #167 from dtldarek/master Two buffer overflow fixes.

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8e54ba2..2b1b02c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,10 @@ Changes:
 
 Fixes:
 
+ * [#167](https://github.com/mity/md4c/issues/167):
+   Fix two buffer overflow bugs found using a fuzz testting. Contributed by
+   dtldarek.
+
  * [#163](https://github.com/mity/md4c/issues/163):
    Make HTML renderer to emit `'\n'` after the root tag when in the XHTML mode.
 
diff --git a/src/md4c.c b/src/md4c.c
index 9192468..97200b2 100644
--- a/src/md4c.c
+++ b/src/md4c.c
@@ -2275,7 +2275,7 @@ md_is_inline_link_spec(MD_CTX* ctx, const MD_LINE* lines, int n_lines,
     /* Optional white space with up to one line break. */
     while(off < lines[line_index].end  &&  ISWHITESPACE(off))
         off++;
-    if(off >= lines[line_index].end  &&  ISNEWLINE(off)) {
+    if(off >= lines[line_index].end  &&  (off >= ctx->size  ||  ISNEWLINE(off))) {
         line_index++;
         if(line_index >= n_lines)
             return FALSE;
@@ -5683,6 +5683,7 @@ md_is_container_mark(MD_CTX* ctx, unsigned indent, OFF beg, OFF* p_end, MD_CONTA
         off++;
     }
     if(off > beg  &&
+       off < ctx->size  &&
        (CH(off) == _T('.') || CH(off) == _T(')'))  &&
        (off+1 >= ctx->size || ISBLANK(off+1) || ISNEWLINE(off+1)))
     {