From 28b51a7f199d003b309e9dab52457759d5fd7691 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Klinkovsk=C3=BD?=
 <1289205+lahwaacz@users.noreply.github.com>
Date: Thu, 23 May 2024 21:05:56 +0200
Subject: [PATCH] Fix buffer overflow in Markdown parser

This fixes a buffer overflow that happened when parsing a bad Markdown
file with an unclosed emphasis nested in other elements, such as

```markdown
> __af_err af_flip(af_array *out, const af_array in, const unsigned dim)__
```

This snippet comes from the ArrayFire repository [1]. The problem was
found after the refactoring [2] that introduced std::string_view in the
code. The `std::string_view::operator[]` has bounds checking enabled
when the macro `_GLIBCXX_ASSERTIONS` is defined, which is the case of
Arch Linux build system.

[1] https://github.com/arrayfire/arrayfire/blob/0a25d36238aa1eee3b775d3584937ca65b0a1807/docs/pages/matrix_manipulation.md
[2] https://github.com/doxygen/doxygen/commit/f4e37514325abe4aa6aeecbc96e9e3e027885aef
---
 src/markdown.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/markdown.cpp b/src/markdown.cpp
index 10429edd57..df00900b0d 100644
--- a/src/markdown.cpp
+++ b/src/markdown.cpp
@@ -661,6 +661,11 @@ size_t Markdown::Private::findEmphasisChar(std::string_view data, char c, size_t
                      data[i]!='\\' && data[i]!='@' &&
                      !(data[i]=='/' && data[i-1]=='<') && // html end tag also ends emphasis
                      data[i]!='\n') i++;
+    // avoid overflow (unclosed emph token)
+    if (i==size)
+    {
+      return 0;
+    }
     //printf("findEmphasisChar: data=[%s] i=%d c=%c\n",data,i,data[i]);
 
     // not counting escaped chars or characters that are unlikely