diff options
-rw-r--r-- | libxslt/transform.c | 11 | ||||
-rw-r--r-- | libxslt/xsltInternals.h | 2 | ||||
-rw-r--r-- | tests/fuzz/xslt.c | 1 |
3 files changed, 14 insertions, 0 deletions
diff --git a/libxslt/transform.c b/libxslt/transform.c index 0636dbd0..b4c8a7cc 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -2411,6 +2411,17 @@ xsltApplySequenceConstructor(xsltTransformContextPtr ctxt, */ cur = list; while (cur != NULL) { + if (ctxt->opLimit != 0) { + if (ctxt->opCount >= ctxt->opLimit) { + xsltTransformError(ctxt, NULL, cur, + "xsltApplySequenceConstructor: " + "Operation limit exceeded\n"); + ctxt->state = XSLT_STATE_STOPPED; + goto error; + } + ctxt->opCount += 1; + } + ctxt->inst = cur; #ifdef WITH_DEBUGGER diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h index 464c5cd9..4ac51446 100644 --- a/libxslt/xsltInternals.h +++ b/libxslt/xsltInternals.h @@ -1780,6 +1780,8 @@ struct _xsltTransformContext { int depth; /* Needed to catch recursions */ int maxTemplateDepth; int maxTemplateVars; + unsigned long opLimit; + unsigned long opCount; }; /** diff --git a/tests/fuzz/xslt.c b/tests/fuzz/xslt.c index 0520550d..0d7bfebf 100644 --- a/tests/fuzz/xslt.c +++ b/tests/fuzz/xslt.c @@ -124,6 +124,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { ctxt = xsltNewTransformContext(sheet, doc); xsltSetCtxtSecurityPrefs(sec, ctxt); ctxt->maxTemplateDepth = 100; + ctxt->opLimit = 200000; xsltSetXPathResourceLimits(ctxt->xpathCtxt); ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount; |