Merge pull request #49 from apple/QuietMisdreavus/sync-upstream-gfm.7

update cmark-gfm to 0.29.0.gfm.8

Author: QuietMisdreavus

.gitignore

@@ -33,6 +33,7 @@ build
 cmark.dSYM/*
 cmark
 .vscode
+.DS_Store
 
 # Testing and benchmark
 alltests.md

CMakeLists.txt

@@ -31,6 +31,16 @@ set(CMAKE_C_STANDARD_REQUIRED YES)
 # Use CMake's generated headers instead of the Swift package prebuilt ones
 add_compile_definitions(CMARK_USE_CMAKE_HEADERS)
 
+option(CMARK_FUZZ_QUADRATIC "Build quadratic fuzzing harness" OFF)
+
+if(CMARK_FUZZ_QUADRATIC)
+  set(FUZZER_FLAGS "-fsanitize=fuzzer-no-link,address -g")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${FUZZER_FLAGS}")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FUZZER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${FUZZER_FLAGS}")
+  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${FUZZER_FLAGS}")
+endif()
+
 add_subdirectory(src)
 add_subdirectory(extensions)
 if(CMARK_TESTS AND (CMARK_SHARED OR CMARK_STATIC))
@@ -41,6 +51,9 @@ if(CMARK_TESTS)
   enable_testing()
   add_subdirectory(test testdir)
 endif()
+if(CMARK_FUZZ_QUADRATIC)
+  add_subdirectory(fuzz)
+endif()
 
 if(NOT CMAKE_BUILD_TYPE)
   set(CMAKE_BUILD_TYPE "Release" CACHE STRING

Makefile

@@ -22,7 +22,7 @@ VERSION?=$(SPECVERSION)
 RELEASE?=CommonMark-$(VERSION)
 INSTALL_PREFIX?=/usr/local
 CLANG_CHECK?=clang-check
-CLANG_FORMAT=clang-format-3.5 -style llvm -sort-includes=0 -i
+CLANG_FORMAT=clang-format -style llvm -sort-includes=0 -i
 AFL_PATH?=/usr/local/bin
 
 .PHONY: all cmake_build leakcheck clean fuzztest test debug ubsan asan mingw archive newbench bench format update-spec afl clang-check docker libFuzzer
@@ -140,7 +140,7 @@ $(EXTDIR)/ext_scanners.c: $(EXTDIR)/ext_scanners.re
 	esac
 	re2c --case-insensitive -b -i --no-generation-date -8 \
 		--encoding-policy substitute -o $@ $<
-	clang-format-3.5 -style llvm -i $@
+	clang-format -style llvm -i $@
 
 # We include entities.inc in the repository, so normally this
 # doesn't need to be regenerated:
@@ -211,7 +211,7 @@ format:
 	$(CLANG_FORMAT) src/*.c src/*.h api_test/*.c api_test/*.h
 
 format-extensions:
-	clang-format-3.5 -style llvm -i extensions/*.c extensions/*.h
+	clang-format -style llvm -i extensions/*.c extensions/*.h
 
 operf: $(CMARK)
 	operf $< < $(BENCHFILE) > /dev/null

changelog.txt

@@ -1,3 +1,25 @@
+[0.29.0.gfm.8]
+
+  * We restored backwards compatibility by deprecating the `cmark_init_standard_node_flags()` requirement, which is now a noop (#305)
+  * We added a quadratic complexity fuzzing target (#304)
+
+[0.29.0.gfm.7]
+
+  * Fixed a polynomial time complexity issue per
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
+  * Fixed an issue in which crafted markdown document could trigger an
+    out-of-bounds read in the validate_protocol function per
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
+  * Fixed a polynomial time complexity issue
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
+  * Fixed several polynomial time complexity issues per
+    https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
+  * We removed an unneeded .DS_Store file (#291)
+  * We added a test for domains with underscores and fix roundtrip behavior (#292)
+  * We now use an up-to-date clang-format (#294)
+  * We made a variety of implicit integer trunctions explicit by moving to
+    size_t as our standard size integer type (#302)
+
 [0.29.0.gfm.6]
   * Fixed polynomial time complexity DoS vulnerability in autolink extension
 

extensions/CMakeLists.txt

@@ -1,4 +1,3 @@
-cmake_minimum_required(VERSION 2.8)
 set(LIBRARY "libcmark-gfm-extensions")
 set(STATICLIBRARY "libcmark-gfm-extensions_static")
 set(LIBRARY_SOURCES
@@ -24,7 +23,6 @@ include_directories(include ${CMAKE_CURRENT_BINARY_DIR})
 
 set(CMAKE_C_FLAGS_PROFILE "${CMAKE_C_FLAGS_RELEASE} -pg")
 set(CMAKE_LINKER_PROFILE "${CMAKE_LINKER_FLAGS_RELEASE} -pg")
-add_compiler_export_flags()
 
 if (CMARK_SHARED)
   add_library(${LIBRARY} SHARED ${LIBRARY_SOURCES})