scanners: avoid transient write when sentinel already NUL.

jgm · claude · jgm · commit 4e47eba4cd2c · 2026-04-17T12:53:25.000+02:00
_scan_at patched the byte at ptr[c-&gt;len] with '\0' around every
scanner invocation so that the re2c scanners (built with
yyfill:enable = 0) could use it as a stopping sentinel. In the
common case the chunk is backed by a cmark_strbuf whose data[size]
is already '\0', so the write was an idempotent mutation of shared
backing storage. Skip it when the byte is already '\0' to preserve
const-correctness and reentrancy on that path; retain the patch
fallback for chunks that are not already NUL-terminated.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/src/scanners.c b/src/scanners.c
@@ -13,9 +13,20 @@ bufsize_t _scan_at(bufsize_t (*scanner)(const unsigned char *), cmark_chunk *c,
   } else {
     unsigned char lim = ptr[c->len];
 
-    ptr[c->len] = '\0';
-    res = scanner(ptr + offset);
-    ptr[c->len] = lim;
+    // The re2c scanners are built with yyfill:enable = 0, so they
+    // require a NUL sentinel at ptr[c->len].  In the common case the
+    // chunk is backed by a cmark_strbuf which is already NUL-terminated
+    // at that position, so we avoid the transient write entirely (it
+    // would otherwise mutate shared backing storage and break both
+    // const-correctness and reentrancy).  Only when the sentinel is
+    // missing do we fall back to patching the byte around the call.
+    if (lim == '\0') {
+      res = scanner(ptr + offset);
+    } else {
+      ptr[c->len] = '\0';
+      res = scanner(ptr + offset);
+      ptr[c->len] = lim;
+    }
   }
 
   return res;
diff --git a/src/scanners.re b/src/scanners.re
@@ -12,9 +12,20 @@ bufsize_t _scan_at(bufsize_t (*scanner)(const unsigned char *), cmark_chunk *c,
         } else {
 	  unsigned char lim = ptr[c->len];
 
-	  ptr[c->len] = '\0';
-	  res = scanner(ptr + offset);
-	  ptr[c->len] = lim;
+	  // The re2c scanners are built with yyfill:enable = 0, so they
+	  // require a NUL sentinel at ptr[c->len].  In the common case the
+	  // chunk is backed by a cmark_strbuf which is already NUL-terminated
+	  // at that position, so we avoid the transient write entirely (it
+	  // would otherwise mutate shared backing storage and break both
+	  // const-correctness and reentrancy).  Only when the sentinel is
+	  // missing do we fall back to patching the byte around the call.
+	  if (lim == '\0') {
+	    res = scanner(ptr + offset);
+	  } else {
+	    ptr[c->len] = '\0';
+	    res = scanner(ptr + offset);
+	    ptr[c->len] = lim;
+	  }
         }
 
 	return res;
