Merge pull request from GHSA-r572-jvj2-3m8p

anticomputer · web-flow · commit a68f6307c0d8 · 2023-01-23T12:04:41.000-05:00
Fix GHSL-2022-128 V2
diff --git a/src/inlines.c b/src/inlines.c
@@ -57,6 +57,7 @@ typedef struct subject{
   bracket *last_bracket;
   bufsize_t backticks[MAXBACKTICKS + 1];
   bool scanned_for_backticks;
+  bool no_link_openers;
 } subject;
 
 // Extensions may populate this.
@@ -174,6 +175,7 @@ static void subject_from_buf(cmark_mem *mem, int line_number, int block_offset,
     e->backticks[i] = 0;
   }
   e->scanned_for_backticks = false;
+  e->no_link_openers = true;
 }
 
 static CMARK_INLINE int isbacktick(int c) { return (c == '`'); }
@@ -534,6 +536,9 @@ static void push_bracket(subject *subj, bool image, cmark_node *inl_text) {
     b->in_bracket_image0 = true;
   }
   subj->last_bracket = b;
+  if (!image) {
+    subj->no_link_openers = false;
+  }
 }
 
 // Assumes the subject has a c at the current position.
@@ -1065,16 +1070,16 @@ static cmark_node *handle_close_bracket(cmark_parser *parser, subject *subj) {
     return make_str(subj, subj->pos - 1, subj->pos - 1, cmark_chunk_literal("]"));
   }
 
-  if (!opener->active) {
+  // If we got here, we matched a potential link/image text.
+  // Now we check to see if it's a link/image.
+  is_image = opener->image;
+
+  if (!is_image && subj->no_link_openers) {
     // take delimiter off stack
     pop_bracket(subj);
     return make_str(subj, subj->pos - 1, subj->pos - 1, cmark_chunk_literal("]"));
   }
 
-  // If we got here, we matched a potential link/image text.
-  // Now we check to see if it's a link/image.
-  is_image = opener->image;
-
   after_link_text_pos = subj->pos;
 
   // First, look for an inline link.
@@ -1248,32 +1253,11 @@ static cmark_node *handle_close_bracket(cmark_parser *parser, subject *subj) {
   process_emphasis(parser, subj, opener->previous_delimiter);
   pop_bracket(subj);
 
-  // Now, if we have a link, we also want to deactivate earlier link
-  // delimiters. (This code can be removed if we decide to allow links
+  // Now, if we have a link, we also want to deactivate links until
+  // we get a new opener. (This code can be removed if we decide to allow links
   // inside links.)
   if (!is_image) {
-    opener = subj->last_bracket;
-    while (opener != NULL) {
-      if (!opener->image) {
-        if (!opener->active) {
-          break;
-        } else {
-          opener->active = false;
-        }
-      }
-      opener = opener->previous;
-    }
-    bool in_bracket_image1 = false;
-    if (opener) {
-      in_bracket_image1 = opener->in_bracket_image1;
-    }
-    bracket *opener2 = subj->last_bracket;
-    while (opener2 != opener) {
-      if (opener2->image) {
-        opener2->in_bracket_image1 = in_bracket_image1;
-      }
-      opener2 = opener2->previous;
-    }
+    subj->no_link_openers = true;
   }
 
   return NULL;
diff --git a/test/pathological_tests.py b/test/pathological_tests.py
@@ -63,6 +63,9 @@ def badhash(ref):
     "pattern [ (]( repeated":
                  (("[ (](" * 80000),
                   re.compile("(\[ \(\]\(){80000}")),
+    "pattern ![[]() repeated":
+                 ("![[]()" * 160000,
+                  re.compile("(!\[<a href=\"\"></a>){160000}")),
     "hard link/emph case":
                  ("**x [a*b**c*](d)",
                   re.compile("\\*\\*x <a href=\"d\">a<em>b\\*\\*c</em></a>")),
