Increase the XML nested depth limit to 2048.
parent
4ec21df3a5
commit
041acd156d
|
@ -30,6 +30,7 @@
|
||||||
#include "nsContentUtils.h"
|
#include "nsContentUtils.h"
|
||||||
#include "nsNullPrincipal.h"
|
#include "nsNullPrincipal.h"
|
||||||
|
|
||||||
|
#include "mozilla/IntegerTypeTraits.h"
|
||||||
#include "mozilla/Logging.h"
|
#include "mozilla/Logging.h"
|
||||||
|
|
||||||
using mozilla::fallible;
|
using mozilla::fallible;
|
||||||
|
@ -41,6 +42,9 @@ static const char16_t kUTF16[] = { 'U', 'T', 'F', '-', '1', '6', '\0' };
|
||||||
|
|
||||||
static mozilla::LazyLogModule gExpatDriverLog("expatdriver");
|
static mozilla::LazyLogModule gExpatDriverLog("expatdriver");
|
||||||
|
|
||||||
|
// The maximum tree depth used for XML-based files (xml/svg/etc.)
|
||||||
|
static const uint16_t sMaxXMLDepth = 2048;
|
||||||
|
|
||||||
/***************************** EXPAT CALL BACKS ******************************/
|
/***************************** EXPAT CALL BACKS ******************************/
|
||||||
// The callback handlers that get called from the expat parser.
|
// The callback handlers that get called from the expat parser.
|
||||||
|
|
||||||
|
@ -338,9 +342,6 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(nsExpatDriver)
|
||||||
|
|
||||||
NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink)
|
NS_IMPL_CYCLE_COLLECTION(nsExpatDriver, mSink, mExtendedSink)
|
||||||
|
|
||||||
// We store the tagdepth in a Uint8, so make sure the limit fits in a Uint8.
|
|
||||||
PR_STATIC_ASSERT(MAX_XML_TREE_DEPTH <= UINT8_MAX);
|
|
||||||
|
|
||||||
nsExpatDriver::nsExpatDriver()
|
nsExpatDriver::nsExpatDriver()
|
||||||
: mExpatParser(nullptr),
|
: mExpatParser(nullptr),
|
||||||
mInCData(false),
|
mInCData(false),
|
||||||
|
@ -381,7 +382,12 @@ nsExpatDriver::HandleStartElement(const char16_t *aValue,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mSink) {
|
if (mSink) {
|
||||||
if (++mTagDepth == MAX_XML_TREE_DEPTH) {
|
// Sanity check: Make sure the limit fits in the type the tag depth tracker
|
||||||
|
// was declared as.
|
||||||
|
static_assert(sMaxXMLDepth <= mozilla::MaxValue<decltype(nsExpatDriver::mTagDepth)>::value,
|
||||||
|
"Maximum XML parsing depth type mismatch: value too large.");
|
||||||
|
|
||||||
|
if (++mTagDepth >= sMaxXMLDepth) {
|
||||||
MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP);
|
MaybeStopParser(NS_ERROR_HTMLPARSER_HIERARCHYTOODEEP);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,9 +16,6 @@
|
||||||
#include "nsIParser.h"
|
#include "nsIParser.h"
|
||||||
#include "nsCycleCollectionParticipant.h"
|
#include "nsCycleCollectionParticipant.h"
|
||||||
|
|
||||||
// Tree depth limit for XML-based files (xml/svg/etc.)
|
|
||||||
#define MAX_XML_TREE_DEPTH 200
|
|
||||||
|
|
||||||
class nsIExpatSink;
|
class nsIExpatSink;
|
||||||
class nsIExtendedExpatSink;
|
class nsIExtendedExpatSink;
|
||||||
struct nsCatalogData;
|
struct nsCatalogData;
|
||||||
|
@ -123,13 +120,14 @@ private:
|
||||||
// Necko
|
// Necko
|
||||||
bool mIsFinalChunk;
|
bool mIsFinalChunk;
|
||||||
|
|
||||||
uint8_t mTagDepth;
|
// The depth of nested parsing we are currently at
|
||||||
|
uint16_t mTagDepth;
|
||||||
|
|
||||||
nsresult mInternalState;
|
nsresult mInternalState;
|
||||||
|
|
||||||
// The length of the data in Expat's buffer (in number of PRUnichars).
|
// The length of the data in Expat's buffer (in number of PRUnichars).
|
||||||
uint32_t mExpatBuffered;
|
uint32_t mExpatBuffered;
|
||||||
|
|
||||||
// These sinks all refer the same conceptual object. mOriginalSink is
|
// These sinks all refer the same conceptual object. mOriginalSink is
|
||||||
// identical with the nsIContentSink* passed to WillBuildModel, and exists
|
// identical with the nsIContentSink* passed to WillBuildModel, and exists
|
||||||
// only to avoid QI-ing back to nsIContentSink*.
|
// only to avoid QI-ing back to nsIContentSink*.
|
||||||
|
|
Loading…
Reference in New Issue