RDiscount Out-of-Bounds Read Vulnerability Leading to Denial-of-Service

A signed length truncation vulnerability has been identified in RDiscount, a C implementation of Markdown. This issue affects versions 1.3.1.1 prior to 2.2.7.4. The vulnerability allows for an out-of-bounds read in the default Markdown parsing process. When inputs exceed INT_MAX, they are truncated to a signed integer, enabling the parser to read beyond the end of the provided buffer, resulting in a process crash. The vulnerability arises because the parser does not properly validate input lengths before processing, allowing for exploitation with multi-GB inputs of attacker-controlled Markdown.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the Ruby process. This behavior creates a reliable denial-of-service condition, particularly in environments that parse untrusted Markdown inputs.

Reproduction

The vulnerability can be reproduced by creating a Ruby string that exceeds 2 billion bytes, which is larger than INT_MAX. This can be done using a Ruby one-liner that constructs such a string and passes it to the RDiscount parser. The process will crash with a segmentation fault, demonstrating the out-of-bounds read and its consequences.

Remediation

Users can upgrade to RDiscount version 2.2.7.4 or later to address this vulnerability.