md_is_link_destination_B: Protect from quadratic complexity.

The permission of nesting (balanced) parenthesis pairs in the link destination opened doors to quadratic time with malicious input like e.g. generated by $ python -c 'print("[a](b" * 50000)' See commonmark/cmark#214 for more info. We solve it by limiting the parenthesis nesting level to 32.
mity · Jul 12, 2017 · c717c77 · c717c77
1 parent 4b35788
commit c717c77
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/md4c/md4c.c b/md4c/md4c.c
@@ -1605,9 +1605,13 @@ md_is_link_destination_B(MD_CTX* ctx, OFF beg, OFF max_end, OFF* p_end,
         if(ISWHITESPACE(off) || ISCNTRL(off))
             break;
 
-        /* Link destination may include balanced pairs of unescaped '(' ')'. */
+        /* Link destination may include balanced pairs of unescaped '(' ')'.
+         * Note we limit the maximal nesting level by 32 to protect us from
+         * https://github.com/jgm/cmark/issues/214 */
         if(CH(off) == _T('(')) {
             parenthesis_level++;
+            if(parenthesis_level > 32)
+                return FALSE;
         } else if(CH(off) == _T(')')) {
             if(parenthesis_level == 0)
                 break;