From 0617b2d3168e2d01e2d1672d34ca32471d51efd3 Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Wed, 10 May 2023 13:48:43 -0500
Subject: Guard against recursion in atspi_accessible_clear_cache

Add a stamp to AtspiAccessiblePrivate for use when iterating through a
tree, and don't touch accessibles that have already been touched. This should
further protect against buggy or malicious applications causing infinite
recursion.

Fixes #113
---
 atspi/atspi-accessible-private.h |  1 +
 atspi/atspi-accessible.c         | 25 +++++++++++++++++--------
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/atspi/atspi-accessible-private.h b/atspi/atspi-accessible-private.h
index e92260ee..fdb572f0 100644
--- a/atspi/atspi-accessible-private.h
+++ b/atspi/atspi-accessible-private.h
@@ -37,6 +37,7 @@ struct _AtspiAccessiblePrivate
 {
   GHashTable *cache;
   guint cache_ref_count;
+  guint iteration_stamp;
 };
 
 GHashTable *
diff --git a/atspi/atspi-accessible.c b/atspi/atspi-accessible.c
index 1ce6b707..0a78b6bc 100644
--- a/atspi/atspi-accessible.c
+++ b/atspi/atspi-accessible.c
@@ -1739,6 +1739,21 @@ atspi_accessible_set_cache_mask (AtspiAccessible *accessible, AtspiCache mask)
   enable_caching = TRUE;
 }
 
+static void
+atspi_accessible_clear_cache_internal (AtspiAccessible *obj, guint iteration_stamp)
+{
+  gint i;
+
+  if (obj && obj->priv->iteration_stamp != iteration_stamp)
+    {
+      obj->priv->iteration_stamp = iteration_stamp;
+      obj->cached_properties = ATSPI_CACHE_NONE;
+      if (obj->children)
+        for (i = 0; i < obj->children->len; i++)
+          atspi_accessible_clear_cache_internal (g_ptr_array_index (obj->children, i), iteration_stamp);
+    }
+}
+
 /**
  * atspi_accessible_clear_cache:
  * @obj: The #AtspiAccessible whose cache to clear.
@@ -1749,15 +1764,9 @@ atspi_accessible_set_cache_mask (AtspiAccessible *accessible, AtspiCache mask)
 void
 atspi_accessible_clear_cache (AtspiAccessible *obj)
 {
-  gint i;
+  static guint iteration_stamp = 0;
 
-  if (obj)
-    {
-      obj->cached_properties = ATSPI_CACHE_NONE;
-      if (obj->children)
-        for (i = 0; i < obj->children->len; i++)
-          atspi_accessible_clear_cache (g_ptr_array_index (obj->children, i));
-    }
+  atspi_accessible_clear_cache_internal (obj, ++iteration_stamp);
 }
 
 /**
-- 
cgit v1.2.1