Multiple issues with numeric entities

This closes commonmark#33.
nwellnhof · May 7, 2015 · 5f52f7b · 5f52f7b
1 parent c06c705
commit 5f52f7b
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 13 deletions.
diff --git a/api_test/main.c b/api_test/main.c
@@ -665,6 +665,40 @@ test_continuation_byte(test_batch_runner *runner, const char *utf8)
 	}
 }
 
+static void
+numeric_entities(test_batch_runner *runner)
+{
+	test_md_to_html(runner, "&#0;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 0");
+	test_md_to_html(runner, "&#55295;", "<p>\xED\x9F\xBF</p>\n",
+			"Valid numeric entity 0xD7FF");
+	test_md_to_html(runner, "&#xD800;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 0xD800");
+	test_md_to_html(runner, "&#xDFFF;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 0xDFFF");
+	test_md_to_html(runner, "&#57344;", "<p>\xEE\x80\x80</p>\n",
+			"Valid numeric entity 0xE000");
+	test_md_to_html(runner, "&#x10FFFF;", "<p>\xF4\x8F\xBF\xBF</p>\n",
+			"Valid numeric entity 0x10FFFF");
+	test_md_to_html(runner, "&#x110000;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 0x110000");
+	test_md_to_html(runner, "&#x80000000;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 0x80000000");
+	test_md_to_html(runner, "&#xFFFFFFFF;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 0xFFFFFFFF");
+	test_md_to_html(runner, "&#99999999;", "<p>" UTF8_REPL "</p>\n",
+			"Invalid numeric entity 99999999");
+
+	test_md_to_html(runner, "&#;", "<p>&amp;#;</p>\n",
+			"Min decimal entity length");
+	test_md_to_html(runner, "&#x;", "<p>&amp;#x;</p>\n",
+			"Min hexadecimal entity length");
+	test_md_to_html(runner, "&#999999999;", "<p>&amp;#999999999;</p>\n",
+			"Max decimal entity length");
+	test_md_to_html(runner, "&#x000000041;", "<p>&amp;#x000000041;</p>\n",
+			"Max hexadecimal entity length");
+}
+
 static void
 test_md_to_html(test_batch_runner *runner, const char *markdown,
 		const char *expected_html, const char *msg)
@@ -690,6 +724,7 @@ int main() {
 	parser(runner);
 	render_html(runner);
 	utf8(runner);
+	numeric_entities(runner);
 	test_cplusplus(runner);
 
 	test_print_summary(runner);

diff --git a/src/houdini_html_u.c b/src/houdini_html_u.c
@@ -12,32 +12,45 @@ houdini_unescape_ent(cmark_strbuf *ob, const uint8_t *src, size_t size)
 {
 	size_t i = 0;
 
-	if (size > 3 && src[0] == '#') {
-		int codepoint = 0;
+	if (size >= 3 && src[0] == '#') {
+		int codepoint  = 0;
+		int num_digits = 0;
 
 		if (_isdigit(src[1])) {
 			for (i = 1; i < size && _isdigit(src[i]); ++i) {
-				int cp = (codepoint * 10) + (src[i] - '0');
+				codepoint = (codepoint * 10) + (src[i] - '0');
 
-				if (cp < codepoint)
-					return 0;
-
-				codepoint = cp;
+				if (codepoint >= 0x110000) {
+					// Keep counting digits but
+					// avoid integer overflow.
+					codepoint = 0x110000;
+				}
 			}
+
+			num_digits = i - 1;
 		}
 
 		else if (src[1] == 'x' || src[1] == 'X') {
 			for (i = 2; i < size && _isxdigit(src[i]); ++i) {
-				int cp = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
+				codepoint = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
 
-				if (cp < codepoint)
-					return 0;
-
-				codepoint = cp;
+				if (codepoint >= 0x110000) {
+					// Keep counting digits but
+					// avoid integer overflow.
+					codepoint = 0x110000;
+				}
 			}
+
+			num_digits = i - 2;
 		}
 
-		if (i < size && src[i] == ';' && codepoint) {
+		if (num_digits >= 1 && num_digits <= 8 &&
+		    i < size && src[i] == ';') {
+			if (codepoint == 0 ||
+			    (codepoint >= 0xD800 && codepoint < 0xE000) ||
+			    codepoint >= 0x110000) {
+				codepoint = 0xFFFD;
+			}
 			utf8proc_encode_char(codepoint, ob);
 			return i + 1;
 		}