From 68f182066a8e2efa6d70abb1f568775fc48c608a Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 24 May 2018 11:25:06 +0100
Subject: ofz#8490 stack exhaustion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

a linear loop builds a recursive structure, if it gets too deep then later
processing, e.g. releasing the tree, can exhaust stack

Change-Id: I4421b9bae62ac2b6ffe32531d1167a482103bfde
Reviewed-on: https://gerrit.libreoffice.org/54762
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 starmath/source/parse.cxx | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'starmath/source')

diff --git a/starmath/source/parse.cxx b/starmath/source/parse.cxx
index 9bb4530eae4e..232a5273f3bc 100644
--- a/starmath/source/parse.cxx
+++ b/starmath/source/parse.cxx
@@ -1103,8 +1103,16 @@ std::unique_ptr<SmNode> SmParser::DoProduct()
 
     auto xFirst = DoPower();
 
+    int nDepthLimit = 0;
+
     while (TokenInGroup(TG::Product))
     {
+        //this linear loop builds a recursive structure, if it gets
+        //too deep then later processing, e.g. releasing the tree,
+        //can exhaust stack
+        if (nDepthLimit > DEPTH_LIMIT)
+            throw std::range_error("parser depth limit");
+
         std::unique_ptr<SmStructureNode> xSNode;
         std::unique_ptr<SmNode> xOper;
         bool bSwitchArgs = false;
@@ -1169,6 +1177,7 @@ std::unique_ptr<SmNode> SmParser::DoProduct()
             xSNode->SetSubNodes(xFirst.release(), xOper.release(), xArg.release());
         }
         xFirst = std::move(xSNode);
+        ++nDepthLimit;
     }
     return xFirst;
 }
-- 
cgit