Skip to content

Commit f8737b1

Browse files
jgmjgm
committed
latex writer: fix memory overflow.
We got an array overflow in enumerated lists nested more than 10 deep with start number =/= 1. Found by google/oss-fuzz. https://oss-fuzz.com/v2/testcase-detail/5546760854306816 This commit also ensures that we don't try to set `enum_` counters that aren't defined by LaTeX (generally up to enumv). Closes #210.
1 parent 09d96cd commit f8737b1

File tree

1 file changed

+19
-9
lines changed

1 file changed

+19
-9
lines changed

src/latex.c

Lines changed: 19 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -220,11 +220,10 @@ static int S_get_enumlevel(cmark_node *node) {
220220
static int S_render_node(cmark_renderer *renderer, cmark_node *node,
221221
cmark_event_type ev_type, int options) {
222222
int list_number;
223+
int enumlevel;
223224
char list_number_string[LIST_NUMBER_STRING_SIZE];
224225
bool entering = (ev_type == CMARK_EVENT_ENTER);
225226
cmark_list_type list_type;
226-
const char *roman_numerals[] = {"", "i", "ii", "iii", "iv", "v",
227-
"vi", "vii", "viii", "ix", "x"};
228227
bool allow_wrap = renderer->width > 0 && !(CMARK_OPT_NOBREAKS & options);
229228

230229
// avoid warning about unused parameter:
@@ -253,13 +252,24 @@ static int S_render_node(cmark_renderer *renderer, cmark_node *node,
253252
CR();
254253
list_number = cmark_node_get_list_start(node);
255254
if (list_number > 1) {
256-
snprintf(list_number_string, LIST_NUMBER_STRING_SIZE, "%d",
257-
list_number);
258-
LIT("\\setcounter{enum");
259-
LIT((char *)roman_numerals[S_get_enumlevel(node)]);
260-
LIT("}{");
261-
OUT(list_number_string, false, NORMAL);
262-
LIT("}");
255+
enumlevel = S_get_enumlevel(node);
256+
// latex normally supports only five levels
257+
if (enumlevel >= 1 && enumlevel <= 5) {
258+
snprintf(list_number_string, LIST_NUMBER_STRING_SIZE, "%d",
259+
list_number);
260+
LIT("\\setcounter{enum");
261+
switch(enumlevel) {
262+
case 1: LIT("i"); break;
263+
case 2: LIT("ii"); break;
264+
case 3: LIT("iii"); break;
265+
case 4: LIT("iv"); break;
266+
case 5: LIT("v"); break;
267+
default: LIT("i"); break;
268+
}
269+
LIT("}{");
270+
OUT(list_number_string, false, NORMAL);
271+
LIT("}");
272+
}
263273
CR();
264274
}
265275
} else {

0 commit comments

Comments
 (0)