ofz#63032 urp stack too deep

Change-Id: I13496c629e48128e3d916f3033394392bca3524c Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157656 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
author: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-10-06 16:18:47 +0100
committer: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-10-07 01:16:24 +0200
commit: b4ff0e5fd8e94155cfcb0ab9f9d0ee590f9bee7c (patch)
tree: 0d86377aa9b5ee2b09c81f01cdf55c3f648fef53
parent: e0c33ec15f53a01fa3ee07489871bbe09bb5c9c3 (diff)
2 files changed, 25 insertions, 11 deletions
diff --git a/include/svtools/parrtf.hxx b/include/svtools/parrtf.hxx
index 136026f56990..980b83c9cbfe 100644
--- a/include/svtools/parrtf.hxx
+++ b/include/svtools/parrtf.hxx
@@ -37,6 +37,7 @@ class SVT_DLLPUBLIC SvRTFParser : public SvParser<int>
 {
     std::stack< RtfParserState_Impl > aParserStates;
     int nOpenBrackets;
+    int nUPRLevel;
     rtl_TextEncoding eCodeSet;
     sal_uInt8        nUCharOverread;
 
diff --git a/svtools/source/svrtf/parrtf.cxx b/svtools/source/svrtf/parrtf.cxx
index 42fcc211b264..82d69f7881ac 100644
--- a/svtools/source/svrtf/parrtf.cxx
+++ b/svtools/source/svrtf/parrtf.cxx
@@ -39,6 +39,7 @@ const int MAX_STRING_LEN = 1024;
 SvRTFParser::SvRTFParser( SvStream& rIn, sal_uInt8 nStackSize )
     : SvParser<int>( rIn, nStackSize )
     , nOpenBrackets(0)
+    , nUPRLevel(0)
     , eCodeSet(RTL_TEXTENCODING_MS_1252)
     , nUCharOverread(1)
 {
@@ -160,19 +161,31 @@ int SvRTFParser::GetNextToken_()
                             break;
 
                         case RTF_UPR:
-                            if (!_inSkipGroup) {
-                            // UPR - overread the group with the ansi
-                            //       information
-                            int nNextToken;
-                            do
+                            if (!_inSkipGroup)
                             {
-                                nNextToken = GetNextToken_();
-                            }
-                            while (nNextToken != '{' && nNextToken != sal_Unicode(EOF) && IsParserWorking());
+                                if (nUPRLevel > 256) // fairly sure > 1 is probably an error, but provide some leeway
+                                {
+                                    SAL_WARN("svtools", "urp stack too deep");
+                                    eState = SvParserState::Error;
+                                    break;
+                                }
 
-                            SkipGroup();
-                            GetNextToken_();  // overread the last bracket
-                            nRet = 0;
+                                ++nUPRLevel;
+
+                                // UPR - overread the group with the ansi
+                                //       information
+                                int nNextToken;
+                                do
+                                {
+                                    nNextToken = GetNextToken_();
+                                }
+                                while (nNextToken != '{' && nNextToken != sal_Unicode(EOF) && IsParserWorking());
+
+                                SkipGroup();
+                                GetNextToken_();  // overread the last bracket
+                                nRet = 0;
+
+                                --nUPRLevel;
                             }
                             break;
author	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-10-06 16:18:47 +0100
committer	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-10-07 01:16:24 +0200
commit	b4ff0e5fd8e94155cfcb0ab9f9d0ee590f9bee7c (patch)
tree	0d86377aa9b5ee2b09c81f01cdf55c3f648fef53
parent	e0c33ec15f53a01fa3ee07489871bbe09bb5c9c3 (diff)