summaryrefslogtreecommitdiffstats
path: root/parser/htmlparser
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-12-12 17:00:08 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-12-12 17:00:08 +0100
commitdacb3da00bd17e69f1a8f1080668808a5f3fe431 (patch)
tree46a188f6a02a032bdeff129c0c155c597649e4d9 /parser/htmlparser
parentd2a1d638b57b5431280a45a8b48519a59e5a55a5 (diff)
downloadUXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar
UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar.gz
UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar.lz
UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.tar.xz
UXP-dacb3da00bd17e69f1a8f1080668808a5f3fe431.zip
Issue #1317 - Increase the XML nested depth limit to 2048.
- Converts from macro to static const for the limit. - Uses a check against the declared type for the counter instead of a hard-coded one. This resolves #1317.
Diffstat (limited to 'parser/htmlparser')
-rw-r--r--parser/htmlparser/nsExpatDriver.cpp14
-rw-r--r--parser/htmlparser/nsExpatDriver.h8
2 files changed, 13 insertions, 9 deletions
diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp
index 9cf888f69..e35a1da25 100644
--- a/parser/htmlparser/nsExpatDriver.cpp
+++ b/parser/htmlparser/nsExpatDriver.cpp
@@ -30,6 +30,7 @@
#include "nsContentUtils.h"
#include "nsNullPrincipal.h"
+#include "mozilla/IntegerTypeTraits.h"
#include "mozilla/Logging.h"
using mozilla::fallible;
@@ -41,6 +42,9 @@ static const char16_t kUTF16[] = { 'U', 'T', 'F', '-', '1', '6', '\0' };
static mozilla::LazyLogModule gExpatDriverLog("expatdriver");
+// The maximum tree depth used for XML-based files (xml/svg/etc.)
+static const uint16_t sMaxXMLDepth = 2048;
+
/***************************** EXPAT CALL BACKS ******************************/
// The callback handlers that get called from the expat parser.
@@ -338,9 +342,6 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(nsExpatDriver)
NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink)
-// We store the tagdepth in a Uint8, so make sure the limit fits in a Uint8.
-PR_STATIC_ASSERT(MAX_XML_TREE_DEPTH <= UINT8_MAX);
-
nsExpatDriver::nsExpatDriver()
: mExpatParser(nullptr),
mInCData(false),
@@ -381,7 +382,12 @@ nsExpatDriver::HandleStartElement(const char16_t *aValue,
}
if (mSink) {
- if (++mTagDepth == MAX_XML_TREE_DEPTH) {
+ // Sanity check: Make sure the limit fits in the type the tag depth tracker
+ // was declared as.
+ static_assert(sMaxXMLDepth <= mozilla::MaxValue<decltype(nsExpatDriver::mTagDepth)>::value,
+ "Maximum XML parsing depth type mismatch: value too large.");
+
+ if (++mTagDepth >= sMaxXMLDepth) {
MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP);
return;
}
diff --git a/parser/htmlparser/nsExpatDriver.h b/parser/htmlparser/nsExpatDriver.h
index 0d62bd09d..988409cfe 100644
--- a/parser/htmlparser/nsExpatDriver.h
+++ b/parser/htmlparser/nsExpatDriver.h
@@ -16,9 +16,6 @@
#include "nsIParser.h"
#include "nsCycleCollectionParticipant.h"
-// Tree depth limit for XML-based files (xml/svg/etc.)
-#define MAX_XML_TREE_DEPTH 200
-
class nsIExpatSink;
class nsIExtendedExpatSink;
struct nsCatalogData;
@@ -123,13 +120,14 @@ private:
// Necko
bool mIsFinalChunk;
- uint8_t mTagDepth;
+ // The depth of nested parsing we are currently at
+ uint16_t mTagDepth;
nsresult mInternalState;
// The length of the data in Expat's buffer (in number of PRUnichars).
uint32_t mExpatBuffered;
-
+
// These sinks all refer the same conceptual object. mOriginalSink is
// identical with the nsIContentSink* passed to WillBuildModel, and exists
// only to avoid QI-ing back to nsIContentSink*.