Skip to content

[Maintenance] Security Integer overflow in table parsing extension leads to heap memory corruption

Alexandru Emil Lupu requested to merge maintenance/upgrade-cmark-gfm into qa

Maintenance

Change log

Notes

Description Impact

An integer overflow in cmark-gfm's table row parsing (table.c:row_from_string) may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used.

If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library. Patches

This vulnerability has been patched in the following cmark-gfm releases:

0.29.0.gfm.3
0.28.3.gfm.21

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered. Acknowledgements

We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability For more information

If you have any questions or comments about this advisory:

Open an issue in cmark-gfm

Merge request reports