0
0
mirror of https://github.com/zeux/pugixml.git synced 2024-12-25 20:14:10 +08:00

XPath: Improve recursion limit for deep chains of //

Since foo//bar//baz adds two nodes for each //, we need to increment the
depth by 2 on each iteration to limit the AST correctly.

Fixes the stack overflow found by cluster-fuzz (I suspect the issue
there is a bit deeper, but this part is definitely a bug and as such I'd
rather wait for the next test case for now).
This commit is contained in:
Arseny Kapoulkine 2021-05-11 22:26:15 -07:00
parent 791971ee59
commit 56c9afa7c8
2 changed files with 6 additions and 3 deletions

View File

@ -11822,15 +11822,17 @@ PUGI__NS_BEGIN
lexeme_t l = _lexer.current();
_lexer.next();
if (++_depth > xpath_ast_depth_limit)
return error_rec();
if (l == lex_double_slash)
{
n = alloc_node(ast_step, n, axis_descendant_or_self, nodetest_type_node, 0);
if (!n) return 0;
++_depth;
}
if (++_depth > xpath_ast_depth_limit)
return error_rec();
n = parse_step(n);
if (!n) return 0;
}

View File

@ -402,6 +402,7 @@ TEST(xpath_parse_depth_limit)
CHECK_XPATH_FAIL((STR("/foo") + rep(STR("/x"), limit)).c_str());
CHECK_XPATH_FAIL((STR("1") + rep(STR("+1"), limit)).c_str());
CHECK_XPATH_FAIL((STR("concat(") + rep(STR("1,"), limit) + STR("1)")).c_str());
CHECK_XPATH_FAIL((STR("/foo") + rep(STR("//x"), limit / 2)).c_str());
}
TEST_XML(xpath_parse_location_path, "<node><child/></node>")