Merge remote-tracking branch 'github/master' into vmitchell/sync-upstream-gfm.7

rdar://104622655

Author: QuietMisdreavus

.gitignore

@@ -33,6 +33,7 @@ build
 cmark.dSYM/*
 cmark
 .vscode
+.DS_Store
 
 # Testing and benchmark
 alltests.md

CMakeLists.txt

@@ -31,6 +31,16 @@ set(CMAKE_C_STANDARD_REQUIRED YES)
 # Use CMake's generated headers instead of the Swift package prebuilt ones
 add_compile_definitions(CMARK_USE_CMAKE_HEADERS)
 
+option(CMARK_FUZZ_QUADRATIC "Build quadratic fuzzing harness" OFF)
+
+if(CMARK_FUZZ_QUADRATIC)
+  set(FUZZER_FLAGS "-fsanitize=fuzzer-no-link,address -g")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${FUZZER_FLAGS}")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FUZZER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${FUZZER_FLAGS}")
+  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${FUZZER_FLAGS}")
+endif()
+
 add_subdirectory(src)
 add_subdirectory(extensions)
 if(CMARK_TESTS AND (CMARK_SHARED OR CMARK_STATIC))
@@ -41,6 +51,9 @@ if(CMARK_TESTS)
   enable_testing()
   add_subdirectory(test testdir)
 endif()
+if(CMARK_FUZZ_QUADRATIC)
+  add_subdirectory(fuzz)
+endif()
 
 if(NOT CMAKE_BUILD_TYPE)
   set(CMAKE_BUILD_TYPE "Release" CACHE STRING

Makefile

@@ -22,7 +22,7 @@ VERSION?=$(SPECVERSION)
 RELEASE?=CommonMark-$(VERSION)
 INSTALL_PREFIX?=/usr/local
 CLANG_CHECK?=clang-check
-CLANG_FORMAT=clang-format-3.5 -style llvm -sort-includes=0 -i
+CLANG_FORMAT=clang-format -style llvm -sort-includes=0 -i
 AFL_PATH?=/usr/local/bin
 
 .PHONY: all cmake_build leakcheck clean fuzztest test debug ubsan asan mingw archive newbench bench format update-spec afl clang-check docker libFuzzer
@@ -140,7 +140,7 @@ $(EXTDIR)/ext_scanners.c: $(EXTDIR)/ext_scanners.re
 	esac
 	re2c --case-insensitive -b -i --no-generation-date -8 \
 		--encoding-policy substitute -o $@ $<
-	clang-format-3.5 -style llvm -i $@
+	clang-format -style llvm -i $@
 
 # We include entities.inc in the repository, so normally this
 # doesn't need to be regenerated:
@@ -211,7 +211,7 @@ format:
 	$(CLANG_FORMAT) src/*.c src/*.h api_test/*.c api_test/*.h
 
 format-extensions:
-	clang-format-3.5 -style llvm -i extensions/*.c extensions/*.h
+	clang-format -style llvm -i extensions/*.c extensions/*.h
 
 operf: $(CMARK)
 	operf $< < $(BENCHFILE) > /dev/null

api_test/main.c

@@ -1575,6 +1575,7 @@ int main() {
   int retval;
   test_batch_runner *runner = test_batch_runner_new();
 
+  cmark_init_standard_node_flags();
   version(runner);
   constructor(runner);
   accessors(runner);

bin/main.c

@@ -143,6 +143,7 @@ int main(int argc, char *argv[]) {
   }
 #endif
 
+  cmark_init_standard_node_flags();
   cmark_gfm_core_extensions_ensure_registered();
 
 #ifdef USE_PLEDGE

changelog.txt

@@ -1,3 +1,20 @@
+[0.29.0.gfm.7]
+
+  * Fixed a polynomial time complexity issue per
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
+  * Fixed an issue in which crafted markdown document could trigger an
+    out-of-bounds read in the validate_protocol function per
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
+  * Fixed a polynomial time complexity issue
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
+  * Fixed several polynomial time complexity issues per
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
+  * We removed an unneeded .DS_Store file (#291)
+  * We added a test for domains with underscores and fix roundtrip behavior (#292)
+  * We now use an up-to-date clang-format (#294)
+  * We made a variety of implicit integer trunctions explicit by moving to
+    size_t as our standard size integer type (#302)
+
 [0.29.0.gfm.6]
   * Fixed polynomial time complexity DoS vulnerability in autolink extension