blocks: Fix quadratic behavior in check_open_blocks

If we find consecutive blank lines inside a list item, abort early in
check_open_blocks by returning NULL. This makes S_process_line skip the
calls to open_new_blocks and add_text_to_container. open_new_blocks is a
no-op for blank lines. add_text_to_container would add an empty line
only for code and HTML blocks which we account for in check_open_blocks.

Fixes part of GHSA-66g8-4hjf-77xh. Obsoletes commonmark#475.

Author: nwellnhof

src/blocks.c

@@ -904,6 +904,31 @@ static cmark_node *check_open_blocks(cmark_parser *parser, cmark_chunk *input,
       if (!parse_block_quote_prefix(parser, input))
         goto done;
       break;
+    case CMARK_NODE_LIST:
+      // Avoid quadratic behavior caused by iterating deeply nested lists
+      // for each blank line.
+      if (parser->blank) {
+        if (container->flags & CMARK_NODE__LIST_LAST_LINE_BLANK &&
+            parser->indent == 0) {
+          // Abort early if we encounter multiple blank lines. Returning
+          // NULL will cause S_process_line to skip the calls to
+          // open_new_blocks and add_text_to_container. open_new_blocks
+          // is a no-op for blank lines. add_text_to_container closes
+          // remaining open nodes, but since we have a second blank
+          // line, all open nodes have already been closed when the
+          // first blank line was processed. Certain block types accept
+          // empty lines as content, so add them here.
+          if (parser->current->type == CMARK_NODE_CODE_BLOCK ||
+              parser->current->type == CMARK_NODE_HTML_BLOCK) {
+            add_line(input, parser);
+          }
+          return NULL;
+        }
+        container->flags |= CMARK_NODE__LIST_LAST_LINE_BLANK;
+      } else {
+        container->flags &= ~CMARK_NODE__LIST_LAST_LINE_BLANK;
+      }
+      break;
     case CMARK_NODE_ITEM:
       if (!parse_node_item_prefix(parser, input, container))
         goto done;

src/node.h

@@ -50,6 +50,7 @@ enum cmark_node__internal_flags {
   CMARK_NODE__OPEN = (1 << 0),
   CMARK_NODE__LAST_LINE_BLANK = (1 << 1),
   CMARK_NODE__LAST_LINE_CHECKED = (1 << 2),
+  CMARK_NODE__LIST_LAST_LINE_BLANK = (1 << 3),
 };
 
 struct cmark_node {

test/pathological_tests.py

@@ -110,6 +110,9 @@ def badhash(ref):
     "unclosed <!--":
                  ("</" + "<!--" * 300000,
                   re.compile("\\&lt;\\/(\\&lt;!--){300000}")),
+    "empty lines in deeply nested lists":
+                 ("- " * 30000 + "x" + "\n" * 30000,
+                  re.compile(r"^(<\w+>\n?)+x(</\w+>\n)+$")),
     "reference collisions": hash_collisions()
 #    "many references":
 #                 ("".join(map(lambda x: ("[" + str(x) + "]: u\n"), range(1,5000 * 16))) + "[0] " * 5000,