diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2019-09-15 12:15:08 +0200 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2019-09-15 12:15:08 +0200 |
commit | d8ce4f1c27cdcbe0b202a696d636d2122abb192e (patch) | |
tree | 01428b4d9e5b2ee67695b1e7679bb0a7d660facc | |
parent | 2232473733b7313d67de8836ea3b29eec6e8e285 (diff) | |
download | libxslt-d8ce4f1c27cdcbe0b202a696d636d2122abb192e.tar.gz |
Avoid recursion in keys.c:skipPredicate
Fixes potential call stack overflow found by OSS-Fuzz.
-rw-r--r-- | libxslt/keys.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/libxslt/keys.c b/libxslt/keys.c index a1f150aa..ecef5382 100644 --- a/libxslt/keys.c +++ b/libxslt/keys.c @@ -241,6 +241,8 @@ skipString(const xmlChar *cur, int end) { */ static int skipPredicate(const xmlChar *cur, int end) { + int level = 0; + if ((cur == NULL) || (end < 0)) return(-1); if (cur[end] != '[') return(end); end++; @@ -251,12 +253,12 @@ skipPredicate(const xmlChar *cur, int end) { return(-1); continue; } else if (cur[end] == '[') { - end = skipPredicate(cur, end); - if (end <= 0) - return(-1); - continue; - } else if (cur[end] == ']') - return(end + 1); + level += 1; + } else if (cur[end] == ']') { + if (level == 0) + return(end + 1); + level -= 1; + } end++; } return(-1); |