Avoid recursion in keys.c:skipPredicate

Fixes potential call stack overflow found by OSS-Fuzz.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2019-09-15 12:15:08 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2019-09-15 12:15:08 +0200
commit: d8ce4f1c27cdcbe0b202a696d636d2122abb192e (patch)
tree: 01428b4d9e5b2ee67695b1e7679bb0a7d660facc
parent: 2232473733b7313d67de8836ea3b29eec6e8e285 (diff)
download: libxslt-d8ce4f1c27cdcbe0b202a696d636d2122abb192e.tar.gz
1 files changed, 8 insertions, 6 deletions
diff --git a/libxslt/keys.c b/libxslt/keys.c
index a1f150aa..ecef5382 100644
--- a/libxslt/keys.c
+++ b/libxslt/keys.c
@@ -241,6 +241,8 @@ skipString(const xmlChar *cur, int end) {
  */
 static int
 skipPredicate(const xmlChar *cur, int end) {
+    int level = 0;
+
     if ((cur == NULL) || (end < 0)) return(-1);
     if (cur[end] != '[') return(end);
     end++;
@@ -251,12 +253,12 @@ skipPredicate(const xmlChar *cur, int end) {
 	        return(-1);
 	    continue;
 	} else if (cur[end] == '[') {
-	    end = skipPredicate(cur, end);
-	    if (end <= 0)
-	        return(-1);
-	    continue;
-	} else if (cur[end] == ']')
-	    return(end + 1);
+            level += 1;
+	} else if (cur[end] == ']') {
+            if (level == 0)
+	        return(end + 1);
+            level -= 1;
+        }
 	end++;
     }
     return(-1);
author	Nick Wellnhofer <wellnhofer@aevum.de>	2019-09-15 12:15:08 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2019-09-15 12:15:08 +0200
commit	d8ce4f1c27cdcbe0b202a696d636d2122abb192e (patch)
tree	01428b4d9e5b2ee67695b1e7679bb0a7d660facc
parent	2232473733b7313d67de8836ea3b29eec6e8e285 (diff)
download	libxslt-d8ce4f1c27cdcbe0b202a696d636d2122abb192e.tar.gz