From 1670cc25bc2771e87f7956a4b0dd634abaa4128b Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 22 Mar 2017 21:03:15 +0000
Subject: ofz: stack-overflow with infinite parse recursion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I4973875797446e146cbda6db84958c9e4962aa8b
Reviewed-on: https://gerrit.libreoffice.org/35545
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx b/svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx
index 45f1d786f3d3..fbded8d9e32b 100644
--- a/svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx
+++ b/svx/source/customshapes/EnhancedCustomShapeFunctionParser.cxx
@@ -178,17 +178,24 @@ class EquationExpression : public ExpressionNode
 {
     sal_Int32                       mnIndex;
     const EnhancedCustomShape2d&    mrCustoShape;
+    mutable bool                    mbGettingValueGuard;
 
 public:
 
     EquationExpression( const EnhancedCustomShape2d& rCustoShape, sal_Int32 nIndex )
         : mnIndex       ( nIndex )
         , mrCustoShape( rCustoShape )
+        , mbGettingValueGuard(false)
     {
     }
     virtual double operator()() const override
     {
-        return mrCustoShape.GetEquationValueAsDouble( mnIndex );
+        if (mbGettingValueGuard)
+            throw ParseError("Loop in Expression");
+        mbGettingValueGuard = true;
+        double fRet = mrCustoShape.GetEquationValueAsDouble(mnIndex);
+        mbGettingValueGuard = false;
+        return fRet;
     }
     virtual bool isConstant() const override
     {
-- 
cgit