diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2017-06-15 16:38:41 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-02 18:55:59 +0100 |
commit | 7d0c56c2879861e97e0c8af6daa16fa3b945eec4 (patch) | |
tree | abb0f1adb136850fd5e94b3cb0cfd2f05fc911c9 /parser | |
parent | c0c702a5e3284e843e680064b4c6a7280242c567 (diff) | |
download | UXP-7d0c56c2879861e97e0c8af6daa16fa3b945eec4.tar UXP-7d0c56c2879861e97e0c8af6daa16fa3b945eec4.tar.gz UXP-7d0c56c2879861e97e0c8af6daa16fa3b945eec4.tar.lz UXP-7d0c56c2879861e97e0c8af6daa16fa3b945eec4.tar.xz UXP-7d0c56c2879861e97e0c8af6daa16fa3b945eec4.zip |
Restrict XML file recursion depth to 200.
This resolves #2.
Diffstat (limited to 'parser')
-rw-r--r-- | parser/htmlparser/nsExpatDriver.cpp | 14 | ||||
-rw-r--r-- | parser/htmlparser/nsExpatDriver.h | 7 |
2 files changed, 17 insertions, 4 deletions
diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp index 8882ec593..9cf888f69 100644 --- a/parser/htmlparser/nsExpatDriver.cpp +++ b/parser/htmlparser/nsExpatDriver.cpp @@ -338,6 +338,9 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(nsExpatDriver) NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink) +// We store the tagdepth in a Uint8, so make sure the limit fits in a Uint8. +PR_STATIC_ASSERT(MAX_XML_TREE_DEPTH <= UINT8_MAX); + nsExpatDriver::nsExpatDriver() : mExpatParser(nullptr), mInCData(false), @@ -345,6 +348,7 @@ nsExpatDriver::nsExpatDriver() mInExternalDTD(false), mMadeFinalCallToExpat(false), mIsFinalChunk(false), + mTagDepth(0), mInternalState(NS_OK), mExpatBuffered(0), mCatalogData(nullptr), @@ -359,7 +363,7 @@ nsExpatDriver::~nsExpatDriver() } } -nsresult +void nsExpatDriver::HandleStartElement(const char16_t *aValue, const char16_t **aAtts) { @@ -377,13 +381,16 @@ nsExpatDriver::HandleStartElement(const char16_t *aValue, } if (mSink) { + if (++mTagDepth == MAX_XML_TREE_DEPTH) { + MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP); + return; + } + nsresult rv = mSink-> HandleStartElement(aValue, aAtts, attrArrayLength, XML_GetCurrentLineNumber(mExpatParser)); MaybeStopParser(rv); } - - return NS_OK; } nsresult @@ -395,6 +402,7 @@ nsExpatDriver::HandleEndElement(const char16_t *aValue) if (mSink && mInternalState != NS_ERROR_HTMLPARSER_STOPPARSING) { nsresult rv = mSink->HandleEndElement(aValue); + --mTagDepth; MaybeStopParser(rv); } diff --git a/parser/htmlparser/nsExpatDriver.h b/parser/htmlparser/nsExpatDriver.h index 1bf022ade..0d62bd09d 100644 --- a/parser/htmlparser/nsExpatDriver.h +++ b/parser/htmlparser/nsExpatDriver.h @@ -16,6 +16,9 @@ #include "nsIParser.h" #include "nsCycleCollectionParticipant.h" +// Tree depth limit for XML-based files (xml/svg/etc.) +#define MAX_XML_TREE_DEPTH 200 + class nsIExpatSink; class nsIExtendedExpatSink; struct nsCatalogData; @@ -37,7 +40,7 @@ public: const char16_t *aBase, const char16_t *aSystemId, const char16_t *aPublicId); - nsresult HandleStartElement(const char16_t *aName, const char16_t **aAtts); + void HandleStartElement(const char16_t *aName, const char16_t **aAtts); nsresult HandleEndElement(const char16_t *aName); nsresult HandleCharacterData(const char16_t *aCData, const uint32_t aLength); nsresult HandleComment(const char16_t *aName); @@ -119,6 +122,8 @@ private: // Whether we're sure that we won't be getting more buffers to parse from // Necko bool mIsFinalChunk; + + uint8_t mTagDepth; nsresult mInternalState; |