clean up the depth tracking a bit
This commit is contained in:
Lee Thomason
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
+2
-5
@@ -2384,21 +2384,18 @@ void XMLDocument::Parse()
|
||||
ParseDeep(p, 0, &_parseCurLineNum );
|
||||
}
|
||||
|
||||
bool XMLDocument::PushDepth()
|
||||
void XMLDocument::PushDepth()
|
||||
{
|
||||
_parsingDepth++;
|
||||
if (_parsingDepth == TINYXML2_MAX_ELEMENT_DEPTH) {
|
||||
SetError(XMLError::XML_ELEMENT_DEPTH_EXCEEDED, _parseCurLineNum, "Element nesting is too deep." );
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool XMLDocument::PopDepth()
|
||||
void XMLDocument::PopDepth()
|
||||
{
|
||||
TIXMLASSERT(_parsingDepth > 0);
|
||||
--_parsingDepth;
|
||||
return true;
|
||||
}
|
||||
|
||||
XMLPrinter::XMLPrinter( FILE* file, bool compact, int depth ) :
|
||||
|
||||
+8
-6
@@ -106,10 +106,12 @@ static const int TIXML2_PATCH_VERSION = 0;
|
||||
#define TINYXML2_MINOR_VERSION 1
|
||||
#define TINYXML2_PATCH_VERSION 0
|
||||
|
||||
// This is problematic. There needs to be a limit to avoid a stack
|
||||
// overflow. However, that limit varies per system. Going with
|
||||
// the MS value for now. May adjust in future versions.
|
||||
static const int TINYXML2_MAX_ELEMENT_DEPTH = 256;
|
||||
// A fixed element depth limit is problematic. There needs to be a
|
||||
// limit to avoid a stack overflow. However, that limit varies per
|
||||
// system, and the capacity of the stack. On the other hand, it's a trivial
|
||||
// attack that can result from ill, malicious, or even correctly formed XML,
|
||||
// so there needs to be a limit in place.
|
||||
static const int TINYXML2_MAX_ELEMENT_DEPTH = 100;
|
||||
|
||||
namespace tinyxml2
|
||||
{
|
||||
@@ -1915,8 +1917,8 @@ private:
|
||||
private:
|
||||
XMLDocument * _document;
|
||||
};
|
||||
bool PushDepth();
|
||||
bool PopDepth();
|
||||
void PushDepth();
|
||||
void PopDepth();
|
||||
|
||||
template<class NodeType, int PoolElementSize>
|
||||
NodeType* CreateUnlinkedNode( MemPoolT<PoolElementSize>& pool );
|
||||
|
||||
+10
-3
@@ -2026,12 +2026,19 @@ int main( int argc, const char ** argv )
|
||||
}
|
||||
|
||||
{
|
||||
// Bad bad crash.
|
||||
// Bad bad crash. Parsing error results in stack overflow, if uncaught.
|
||||
const char* TESTS[] = {
|
||||
"./resources/xmltest-5330.xml",
|
||||
"./resources/xmltest-4636783552757760.xml",
|
||||
"./resources/xmltest-5720541257269248.xml",
|
||||
0
|
||||
};
|
||||
for (int i=0; TESTS[i]; ++i) {
|
||||
XMLDocument doc;
|
||||
doc.LoadFile("./resources/xmltest-5330.xml");
|
||||
doc.LoadFile(TESTS[i]);
|
||||
XMLTest("Stack overflow prevented.", XMLError::XML_ELEMENT_DEPTH_EXCEEDED, doc.ErrorID());
|
||||
}
|
||||
|
||||
}
|
||||
{
|
||||
// Crashing reported via email.
|
||||
const char* xml =
|
||||
|
||||
Reference in New Issue
Block a user