Fix quadratic parsing issue with repeated <!--.

We handle this the same way we handle the parallel issue with
declarations: if we reach the end of input without seeing `-->`,
we set a flag telling us not to try again.

Resolves GHSL-2022-098

Author: jgm

src/inlines.c

@@ -48,6 +48,7 @@ typedef struct bracket {
 #define FLAG_SKIP_HTML_CDATA        (1u << 0)
 #define FLAG_SKIP_HTML_DECLARATION  (1u << 1)
 #define FLAG_SKIP_HTML_PI           (1u << 2)
+#define FLAG_SKIP_HTML_COMMENT      (1u << 3)
 
 typedef struct subject{
   cmark_mem *mem;
@@ -907,7 +908,7 @@ static cmark_node *handle_pointy_brace(subject *subj, int options) {
   // finally, try to match an html tag
   if (subj->pos + 2 <= subj->input.len) {
     int c = subj->input.data[subj->pos];
-    if (c == '!') {
+    if (c == '!' && (subj->flags & FLAG_SKIP_HTML_COMMENT) == 0) {
       c = subj->input.data[subj->pos+1];
       if (c == '-' && subj->input.data[subj->pos+2] == '-') {
 	if (subj->input.data[subj->pos+3] == '>') {
@@ -917,8 +918,12 @@ static cmark_node *handle_pointy_brace(subject *subj, int options) {
           matchlen = 5;
         } else {
           matchlen = scan_html_comment(&subj->input, subj->pos + 1);
-          if (matchlen > 0)
+          if (matchlen > 0) {
             matchlen += 1; // prefix "<"
+	  } else { // no match through end of input: set a flag so
+		   // we don't reparse looking for -->:
+	    subj->flags |= FLAG_SKIP_HTML_COMMENT;
+	  }
 	}
       } else if (c == '[') {
         if ((subj->flags & FLAG_SKIP_HTML_CDATA) == 0) {