fix(demangle): limit recursion depth

google · Oct 5, 2023 · eab1edb · eab1edb
1 parent 319a0df
commit eab1edb
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/demangle.cc b/src/demangle.cc
@@ -111,6 +111,7 @@ struct State {
   short nest_level;          // For nested names.
   bool append;               // Append flag.
   bool overflowed;           // True if output gets overflowed.
+  uint32 local_level;
 };
 
 // We don't use strlen() in libc since it's not guaranteed to be async
@@ -155,6 +156,7 @@ static void InitState(State *state, const char *mangled,
   state->nest_level = -1;
   state->append = true;
   state->overflowed = false;
+  state->local_level = 0;
 }
 
 // Returns true and advances "mangled_cur" if we find "one_char_token"
@@ -1208,16 +1210,25 @@ static bool ParseExprPrimary(State *state) {
 //                 [<discriminator>]
 //              := Z <(function) encoding> E s [<discriminator>]
 static bool ParseLocalName(State *state) {
+  // Avoid recursion above max_levels
+  constexpr uint32 max_levels = 5;
+  if (state->local_level > max_levels) {
+    return false;
+  }
+  ++state->local_level;
+
   State copy = *state;
   if (ParseOneCharToken(state, 'Z') && ParseEncoding(state) &&
       ParseOneCharToken(state, 'E') && MaybeAppend(state, "::") &&
       ParseName(state) && Optional(ParseDiscriminator(state))) {
+    --state->local_level;
     return true;
   }
   *state = copy;
 
   if (ParseOneCharToken(state, 'Z') && ParseEncoding(state) &&
       ParseTwoCharToken(state, "Es") && Optional(ParseDiscriminator(state))) {
+    --state->local_level;
     return true;
   }
   *state = copy;