[Libreoffice-commits] core.git: starmath/inc starmath/source

Caolán McNamara caolanm at redhat.com
Thu May 24 13:55:14 UTC 2018 

 starmath/inc/parse.hxx    |    4 +++-
 starmath/source/parse.cxx |    9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

New commits:
commit 68f182066a8e2efa6d70abb1f568775fc48c608a
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu May 24 11:25:06 2018 +0100

    ofz#8490 stack exhaustion
    
    a linear loop builds a recursive structure, if it gets too deep then later
    processing, e.g. releasing the tree, can exhaust stack
    
    Change-Id: I4421b9bae62ac2b6ffe32531d1167a482103bfde
    Reviewed-on: https://gerrit.libreoffice.org/54762
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/starmath/inc/parse.hxx b/starmath/inc/parse.hxx
index c49f0f6ff9cf..17e20b4cdaea 100644
--- a/starmath/inc/parse.hxx
+++ b/starmath/inc/parse.hxx
@@ -29,6 +29,8 @@
 #include "error.hxx"
 #include "node.hxx"
 
+#define DEPTH_LIMIT 1024
+
 class SmParser
 {
     OUString        m_aBufferString;
@@ -53,7 +55,7 @@ class SmParser
         {
             ++m_rParseDepth;
         }
-        bool TooDeep() const { return m_rParseDepth > 1024; }
+        bool TooDeep() const { return m_rParseDepth > DEPTH_LIMIT; }
         ~DepthProtect()
         {
             --m_rParseDepth;
diff --git a/starmath/source/parse.cxx b/starmath/source/parse.cxx
index 9bb4530eae4e..232a5273f3bc 100644
--- a/starmath/source/parse.cxx
+++ b/starmath/source/parse.cxx
@@ -1103,8 +1103,16 @@ std::unique_ptr<SmNode> SmParser::DoProduct()
 
     auto xFirst = DoPower();
 
+    int nDepthLimit = 0;
+
     while (TokenInGroup(TG::Product))
     {
+        //this linear loop builds a recursive structure, if it gets
+        //too deep then later processing, e.g. releasing the tree,
+        //can exhaust stack
+        if (nDepthLimit > DEPTH_LIMIT)
+            throw std::range_error("parser depth limit");
+
         std::unique_ptr<SmStructureNode> xSNode;
         std::unique_ptr<SmNode> xOper;
         bool bSwitchArgs = false;
@@ -1169,6 +1177,7 @@ std::unique_ptr<SmNode> SmParser::DoProduct()
             xSNode->SetSubNodes(xFirst.release(), xOper.release(), xArg.release());
         }
         xFirst = std::move(xSNode);
+        ++nDepthLimit;
     }
     return xFirst;
 }

More information about the Libreoffice-commits mailing list