diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-12-12 17:00:08 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-12-12 17:00:08 +0100 |
commit | dacb3da00bd17e69f1a8f1080668808a5f3fe431 (patch) | |
tree | 46a188f6a02a032bdeff129c0c155c597649e4d9 | |
parent | d2a1d638b57b5431280a45a8b48519a59e5a55a5 (diff) | |
download | UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar.gz UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar.lz UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar.xz UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.zip |
Issue #1317 - Increase the XML nested depth limit to 2048.
- Converts from macro to static const for the limit.
- Uses a check against the declared type for the counter instead of
a hard-coded one.
This resolves #1317.
-rw-r--r-- | parser/htmlparser/nsExpatDriver.cpp | 14 | ||||
-rw-r--r-- | parser/htmlparser/nsExpatDriver.h | 8 |
2 files changed, 13 insertions, 9 deletions
diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp index 9cf888f69..e35a1da25 100644 --- a/parser/htmlparser/nsExpatDriver.cpp +++ b/parser/htmlparser/nsExpatDriver.cpp @@ -30,6 +30,7 @@ #include "nsContentUtils.h" #include "nsNullPrincipal.h" +#include "mozilla/IntegerTypeTraits.h" #include "mozilla/Logging.h" using mozilla::fallible; @@ -41,6 +42,9 @@ static const char16_t kUTF16[] = { 'U', 'T', 'F', '-', '1', '6', '\0' }; static mozilla::LazyLogModule gExpatDriverLog("expatdriver"); +// The maximum tree depth used for XML-based files (xml/svg/etc.) +static const uint16_t sMaxXMLDepth = 2048; + /***************************** EXPAT CALL BACKS ******************************/ // The callback handlers that get called from the expat parser. @@ -338,9 +342,6 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(nsExpatDriver) NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink) -// We store the tagdepth in a Uint8, so make sure the limit fits in a Uint8. -PR_STATIC_ASSERT(MAX_XML_TREE_DEPTH <= UINT8_MAX); - nsExpatDriver::nsExpatDriver() : mExpatParser(nullptr), mInCData(false), @@ -381,7 +382,12 @@ nsExpatDriver::HandleStartElement(const char16_t *aValue, } if (mSink) { - if (++mTagDepth == MAX_XML_TREE_DEPTH) { + // Sanity check: Make sure the limit fits in the type the tag depth tracker + // was declared as. + static_assert(sMaxXMLDepth <= mozilla::MaxValue<decltype(nsExpatDriver::mTagDepth)>::value, + "Maximum XML parsing depth type mismatch: value too large."); + + if (++mTagDepth >= sMaxXMLDepth) { MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP); return; } diff --git a/parser/htmlparser/nsExpatDriver.h b/parser/htmlparser/nsExpatDriver.h index 0d62bd09d..988409cfe 100644 --- a/parser/htmlparser/nsExpatDriver.h +++ b/parser/htmlparser/nsExpatDriver.h @@ -16,9 +16,6 @@ #include "nsIParser.h" #include "nsCycleCollectionParticipant.h" -// Tree depth limit for XML-based files (xml/svg/etc.) -#define MAX_XML_TREE_DEPTH 200 - class nsIExpatSink; class nsIExtendedExpatSink; struct nsCatalogData; @@ -123,13 +120,14 @@ private: // Necko bool mIsFinalChunk; - uint8_t mTagDepth; + // The depth of nested parsing we are currently at + uint16_t mTagDepth; nsresult mInternalState; // The length of the data in Expat's buffer (in number of PRUnichars). uint32_t mExpatBuffered; - + // These sinks all refer the same conceptual object. mOriginalSink is // identical with the nsIContentSink* passed to WillBuildModel, and exists // only to avoid QI-ing back to nsIContentSink*. |