diff options
author | Caolán McNamara <caolanm@redhat.com> | 2018-05-24 11:25:06 +0100 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2018-05-24 15:54:52 +0200 |
commit | 68f182066a8e2efa6d70abb1f568775fc48c608a (patch) | |
tree | c9128f3e8975a18849fde31960dbc89861ab50d7 /starmath/source | |
parent | 4b42fd7e9516fbbd8a92d97680524f32dd260fb2 (diff) |
ofz#8490 stack exhaustion
a linear loop builds a recursive structure, if it gets too deep then later
processing, e.g. releasing the tree, can exhaust stack
Change-Id: I4421b9bae62ac2b6ffe32531d1167a482103bfde
Reviewed-on: https://gerrit.libreoffice.org/54762
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'starmath/source')
-rw-r--r-- | starmath/source/parse.cxx | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/starmath/source/parse.cxx b/starmath/source/parse.cxx index 9bb4530eae4e..232a5273f3bc 100644 --- a/starmath/source/parse.cxx +++ b/starmath/source/parse.cxx @@ -1103,8 +1103,16 @@ std::unique_ptr<SmNode> SmParser::DoProduct() auto xFirst = DoPower(); + int nDepthLimit = 0; + while (TokenInGroup(TG::Product)) { + //this linear loop builds a recursive structure, if it gets + //too deep then later processing, e.g. releasing the tree, + //can exhaust stack + if (nDepthLimit > DEPTH_LIMIT) + throw std::range_error("parser depth limit"); + std::unique_ptr<SmStructureNode> xSNode; std::unique_ptr<SmNode> xOper; bool bSwitchArgs = false; @@ -1169,6 +1177,7 @@ std::unique_ptr<SmNode> SmParser::DoProduct() xSNode->SetSubNodes(xFirst.release(), xOper.release(), xArg.release()); } xFirst = std::move(xSNode); + ++nDepthLimit; } return xFirst; } |