Fix for use-after-free bug introduced in 71e27f2

phillmv · phillmv · commit a1d171ad4987 · 2021-09-02T10:26:12.000-04:00
Sometimes, when cleaning up unusued footnotes, two footnote-&gt;nodes may
end up referencing each other. As they get free()'d up, this can lead to
problems. Instead, first we unlink every node and _then_ free them up.
diff --git a/src/blocks.c b/src/blocks.c
@@ -523,6 +523,7 @@ static void process_footnotes(cmark_parser *parser) {
     }
   }
 
+  cmark_unlink_footnotes_map(map);
   cmark_map_free(map);
 }
 
diff --git a/src/footnotes.c b/src/footnotes.c
@@ -38,3 +38,26 @@ void cmark_footnote_create(cmark_map *map, cmark_node *node) {
 cmark_map *cmark_footnote_map_new(cmark_mem *mem) {
   return cmark_map_new(mem, footnote_free);
 }
+
+// Before calling `cmark_map_free` on a map with `cmark_footnotes`, first
+// unlink all of the footnote nodes before freeing their memory.
+//
+// Sometimes, two (unused) footnote nodes can end up referencing each other,
+// which as they get freed up by calling `cmark_map_free` -> `footnote_free` ->
+// etc, can lead to a use-after-free error.
+//
+// Better to `unlink` every footnote node first, setting their next, prev, and
+// parent pointers to NULL, and only then walk thru & free them up.
+void cmark_unlink_footnotes_map(cmark_map *map) {
+  cmark_map_entry *ref;
+  cmark_map_entry *next;
+
+  ref = map->refs;
+  while(ref) {
+    next = ref->next;
+    if (((cmark_footnote *)ref)->node) {
+      cmark_node_unlink(((cmark_footnote *)ref)->node);
+    }
+    ref = next;
+  }
+}
diff --git a/src/footnotes.h b/src/footnotes.h
@@ -18,6 +18,8 @@ typedef struct cmark_footnote cmark_footnote;
 void cmark_footnote_create(cmark_map *map, cmark_node *node);
 cmark_map *cmark_footnote_map_new(cmark_mem *mem);
 
+void cmark_unlink_footnotes_map(cmark_map *map);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/test/regression.txt b/test/regression.txt
@@ -354,3 +354,14 @@ Footnotes interacting with strikethrough should not lead to a use-after-free pt2
 .
 <p>[^~~is~~1]</p>
 ````````````````````````````````
+
+Adjacent unused footnotes definitions should not lead to a use after free
+
+```````````````````````````````` example footnotes autolink strikethrough table
+Hello world
+
+
+[^a]:[^b]:
+.
+<p>Hello world</p>
+````````````````````````````````

Original file line number	Diff line number	Diff line change
`@@ -523,6 +523,7 @@ static void process_footnotes(cmark_parser *parser) {`
`523`	`523`	`}`
`524`	`524`	`}`
`525`	`525`
	`526`	`+ cmark_unlink_footnotes_map(map);`
`526`	`527`	`cmark_map_free(map);`
`527`	`528`	`}`
`528`	`529`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ typedef struct cmark_footnote cmark_footnote;`
`18`	`18`	`void cmark_footnote_create(cmark_map map, cmark_node node);`
`19`	`19`	`cmark_map cmark_footnote_map_new(cmark_mem mem);`
`20`	`20`
	`21`	`+void cmark_unlink_footnotes_map(cmark_map *map);`
	`22`	`+`
`21`	`23`	`#ifdef __cplusplus`
`22`	`24`	`}`
`23`	`25`	`#endif`