Impact
An integer overflow in cmark-gfm's table row parsing (table.c:row_from_string) may lead to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used.
If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library.
Patches
This vulnerability has been patched in the following cmark-gfm releases:
- 0.29.0.gfm.3
- 0.28.3.gfm.21
Workarounds
The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Acknowledgements
We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability
For more information
If you have any questions or comments about this advisory:
Impact
An integer overflow in cmark-gfm's table row parsing (
table.c:row_from_string) may lead to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and wherecmark-gfmis used.If
cmark-gfmis used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of thecmark-gfmlibrary.Patches
This vulnerability has been patched in the following cmark-gfm releases:
Workarounds
The vulnerability exists in the table markdown extensions of
cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.Acknowledgements
We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability
For more information
If you have any questions or comments about this advisory: