In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attackers to cause a denial of service (Segmentation Fault), as demonstrated by an invalid ISALNUM argument.