mirror of
https://github.com/zeux/pugixml.git
synced 2024-12-25 20:14:10 +08:00
XPath: Improve recursion limit for deep chains of //
Since foo//bar//baz adds two nodes for each //, we need to increment the depth by 2 on each iteration to limit the AST correctly. Fixes the stack overflow found by cluster-fuzz (I suspect the issue there is a bit deeper, but this part is definitely a bug and as such I'd rather wait for the next test case for now).
This commit is contained in:
parent
791971ee59
commit
56c9afa7c8
@ -11822,15 +11822,17 @@ PUGI__NS_BEGIN
|
||||
lexeme_t l = _lexer.current();
|
||||
_lexer.next();
|
||||
|
||||
if (++_depth > xpath_ast_depth_limit)
|
||||
return error_rec();
|
||||
|
||||
if (l == lex_double_slash)
|
||||
{
|
||||
n = alloc_node(ast_step, n, axis_descendant_or_self, nodetest_type_node, 0);
|
||||
if (!n) return 0;
|
||||
|
||||
++_depth;
|
||||
}
|
||||
|
||||
if (++_depth > xpath_ast_depth_limit)
|
||||
return error_rec();
|
||||
|
||||
n = parse_step(n);
|
||||
if (!n) return 0;
|
||||
}
|
||||
|
@ -402,6 +402,7 @@ TEST(xpath_parse_depth_limit)
|
||||
CHECK_XPATH_FAIL((STR("/foo") + rep(STR("/x"), limit)).c_str());
|
||||
CHECK_XPATH_FAIL((STR("1") + rep(STR("+1"), limit)).c_str());
|
||||
CHECK_XPATH_FAIL((STR("concat(") + rep(STR("1,"), limit) + STR("1)")).c_str());
|
||||
CHECK_XPATH_FAIL((STR("/foo") + rep(STR("//x"), limit / 2)).c_str());
|
||||
}
|
||||
|
||||
TEST_XML(xpath_parse_location_path, "<node><child/></node>")
|
||||
|
Loading…
x
Reference in New Issue
Block a user