Merge branch 'fix-footnotes-nested-linkrefs-autolinker' into fix-footnotes-plus-fix-fnref-label-and-backrefs

Author: phillmv

src/blocks.c

@@ -532,6 +532,7 @@ static void process_footnotes(cmark_parser *parser) {
     }
   }
 
+  cmark_unlink_footnotes_map(map);
   cmark_map_free(map);
 }
 

src/footnotes.c

@@ -38,3 +38,26 @@ void cmark_footnote_create(cmark_map *map, cmark_node *node) {
 cmark_map *cmark_footnote_map_new(cmark_mem *mem) {
   return cmark_map_new(mem, footnote_free);
 }
+
+// Before calling `cmark_map_free` on a map with `cmark_footnotes`, first
+// unlink all of the footnote nodes before freeing their memory.
+//
+// Sometimes, two (unused) footnote nodes can end up referencing each other,
+// which as they get freed up by calling `cmark_map_free` -> `footnote_free` ->
+// etc, can lead to a use-after-free error.
+//
+// Better to `unlink` every footnote node first, setting their next, prev, and
+// parent pointers to NULL, and only then walk thru & free them up.
+void cmark_unlink_footnotes_map(cmark_map *map) {
+  cmark_map_entry *ref;
+  cmark_map_entry *next;
+
+  ref = map->refs;
+  while(ref) {
+    next = ref->next;
+    if (((cmark_footnote *)ref)->node) {
+      cmark_node_unlink(((cmark_footnote *)ref)->node);
+    }
+    ref = next;
+  }
+}

src/footnotes.h

@@ -18,6 +18,8 @@ typedef struct cmark_footnote cmark_footnote;
 void cmark_footnote_create(cmark_map *map, cmark_node *node);
 cmark_map *cmark_footnote_map_new(cmark_mem *mem);
 
+void cmark_unlink_footnotes_map(cmark_map *map);
+
 #ifdef __cplusplus
 }
 #endif

src/inlines.c

@@ -1178,6 +1178,7 @@ static cmark_node *handle_close_bracket(cmark_parser *parser, subject *subj) {
       // being replacing the opening '[' text node with a `^footnote-ref]` node.
       cmark_node_insert_before(opener->inl_text, fnref);
 
+      process_emphasis(parser, subj, opener->previous_delimiter);
       // sometimes, the footnote reference text gets parsed into multiple nodes
       // i.e. '[^example]' parsed into '[', '^exam', 'ple]'.
       // this happens for ex with the autolink extension. when the autolinker
@@ -1200,7 +1201,7 @@ static cmark_node *handle_close_bracket(cmark_parser *parser, subject *subj) {
       }
 
       cmark_node_free(opener->inl_text);
-      process_emphasis(parser, subj, opener->previous_delimiter);
+
       pop_bracket(subj);
       return NULL;
     }

test/regression.txt

@@ -338,3 +338,30 @@ It has another footnote that contains many different characters (the autolinker
 </ol>
 </section>
 ````````````````````````````````
+
+Footnotes interacting with strikethrough should not lead to a use-after-free
+
+```````````````````````````````` example footnotes autolink strikethrough table
+|Tot.....[^_a_]|
+.
+<p>|Tot.....[^_a_]|</p>
+````````````````````````````````
+
+Footnotes interacting with strikethrough should not lead to a use-after-free pt2
+
+```````````````````````````````` example footnotes autolink strikethrough table
+[^~~is~~1]
+.
+<p>[^~~is~~1]</p>
+````````````````````````````````
+
+Adjacent unused footnotes definitions should not lead to a use after free
+
+```````````````````````````````` example footnotes autolink strikethrough table
+Hello world
+
+
+[^a]:[^b]:
+.
+<p>Hello world</p>
+````````````````````````````````