XPath: Fix stack overflow in functions with long argument lists

Function call arguments are stored in a list which is processed recursively during optimize(). We now limit the depth of this construct as well to make sure optimize() doesn't run out of stack space.
2020-09-11 09:50:41 -07:00 · 2020-09-11 09:50:41 -07:00 · 8e5b8e0f46
commit 8e5b8e0f46
parent 20aef1cd4b
2 changed files with 8 additions and 0 deletions
--- a/src/pugixml.cpp
+++ b/src/pugixml.cpp
@ -11541,6 +11541,8 @@ PUGI__NS_BEGIN
 					return error("Unrecognized function call");
 				_lexer.next();

+				size_t old_depth = _depth;
+
 				while (_lexer.current() != lex_close_brace)
 				{
 					if (argc > 0)
@ -11550,6 +11552,9 @@ PUGI__NS_BEGIN
 						_lexer.next();
 					}

+					if (++_depth > xpath_ast_depth_limit)
+						return error_rec();
+
 					xpath_ast_node* n = parse_expression();
 					if (!n) return 0;

@ -11562,6 +11567,8 @@ PUGI__NS_BEGIN

 				_lexer.next();

+				_depth = old_depth;
+
 				return parse_function(function, argc, args);
 			}

--- a/tests/test_xpath_parse.cpp
+++ b/tests/test_xpath_parse.cpp
@ -401,6 +401,7 @@ TEST(xpath_parse_depth_limit)
 	CHECK_XPATH_FAIL((STR("/foo") + rep(STR("[1]"), limit)).c_str());
 	CHECK_XPATH_FAIL((STR("/foo") + rep(STR("/x"), limit)).c_str());
 	CHECK_XPATH_FAIL((STR("1") + rep(STR("+1"), limit)).c_str());
+	CHECK_XPATH_FAIL((STR("concat(") + rep(STR("1,"), limit) + STR("1)")).c_str());
 }

 TEST_XML(xpath_parse_location_path, "<node><child/></node>")