summaryrefslogtreecommitdiffstats
path: root/parser/htmlparser/nsExpatDriver.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'parser/htmlparser/nsExpatDriver.cpp')
-rw-r--r--parser/htmlparser/nsExpatDriver.cpp14
1 files changed, 11 insertions, 3 deletions
diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp
index 8882ec593..9cf888f69 100644
--- a/parser/htmlparser/nsExpatDriver.cpp
+++ b/parser/htmlparser/nsExpatDriver.cpp
@@ -338,6 +338,9 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(nsExpatDriver)
NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink)
+// We store the tagdepth in a Uint8, so make sure the limit fits in a Uint8.
+PR_STATIC_ASSERT(MAX_XML_TREE_DEPTH <= UINT8_MAX);
+
nsExpatDriver::nsExpatDriver()
: mExpatParser(nullptr),
mInCData(false),
@@ -345,6 +348,7 @@ nsExpatDriver::nsExpatDriver()
mInExternalDTD(false),
mMadeFinalCallToExpat(false),
mIsFinalChunk(false),
+ mTagDepth(0),
mInternalState(NS_OK),
mExpatBuffered(0),
mCatalogData(nullptr),
@@ -359,7 +363,7 @@ nsExpatDriver::~nsExpatDriver()
}
}
-nsresult
+void
nsExpatDriver::HandleStartElement(const char16_t *aValue,
const char16_t **aAtts)
{
@@ -377,13 +381,16 @@ nsExpatDriver::HandleStartElement(const char16_t *aValue,
}
if (mSink) {
+ if (++mTagDepth == MAX_XML_TREE_DEPTH) {
+ MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP);
+ return;
+ }
+
nsresult rv = mSink->
HandleStartElement(aValue, aAtts, attrArrayLength,
XML_GetCurrentLineNumber(mExpatParser));
MaybeStopParser(rv);
}
-
- return NS_OK;
}
nsresult
@@ -395,6 +402,7 @@ nsExpatDriver::HandleEndElement(const char16_t *aValue)
if (mSink && mInternalState != NS_ERROR_HTMLPARSER_STOPPARSING) {
nsresult rv = mSink->HandleEndElement(aValue);
+ --mTagDepth;
MaybeStopParser(rv);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 10:02:52 +0000