ofz#5526 restrict mml parsing depth

Change-Id: Ib74787137112fb8402a2f6400ab4313d43c103dc Reviewed-on: https://gerrit.libreoffice.org/48277Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>

ofz#5526 restrict mml parsing depth
Change-Id: Ib74787137112fb8402a2f6400ab4313d43c103dc Reviewed-on: https://gerrit.libreoffice.org/48277Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
f1d1eb2c · Caolán McNamara · 6763c0ce · f1d1eb2c · f1d1eb2c
Kaydet (Commit) f1d1eb2c authored Ock 21, 2018 tarafından Caolán McNamara
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 4 deletions

mathmlimport.cxx starmath/source/mathmlimport.cxx +20 -4

mathmlimport.hxx starmath/source/mathmlimport.hxx +5 -0

No files found.
--- a/starmath/source/mathmlimport.cxx
+++ b/starmath/source/mathmlimport.cxx
@@ -410,7 +410,8 @@ SmXMLImport::SmXMLImport(
    const css::uno::Reference< css::uno::XComponentContext >& rContext,
    OUString const & implementationName, SvXMLImportFlags nImportFlags)
 :   SvXMLImport(rContext, implementationName, nImportFlags),
-    bSuccess(false)
+    bSuccess(false),
+    nParseDepth(0)
 {
 }

@@ -536,7 +537,15 @@ class SmXMLImportContext: public SvXMLImportContext
 public:
    SmXMLImportContext( SmXMLImport &rImport, sal_uInt16 nPrfx,
        const OUString& rLName)
-        : SvXMLImportContext(rImport, nPrfx, rLName) {}
+        : SvXMLImportContext(rImport, nPrfx, rLName)
+    {
+        GetSmImport().IncParseDepth();
+    }
+
+    virtual ~SmXMLImportContext() override
+    {
+        GetSmImport().DecParseDepth();
+    }

    SmXMLImport& GetSmImport()
    {
@@ -546,6 +555,12 @@ public:
    virtual void TCharacters(const OUString & /*rChars*/);
    virtual void Characters(const OUString &rChars) override;
    virtual SvXMLImportContextRef CreateChildContext(sal_uInt16 /*nPrefix*/, const OUString& /*rLocalName*/, const uno::Reference< xml::sax::XAttributeList > & /*xAttrList*/) override;
+    virtual void StartElement(const css::uno::Reference<css::xml::sax::XAttributeList>& rAttrList) override
+    {
+        if (GetSmImport().TooDeep())
+            throw std::range_error("too deep");
+        SvXMLImportContext::StartElement(rAttrList);
+    }
 };

 void SmXMLImportContext::TCharacters(const OUString & /*rChars*/)
@@ -906,7 +921,9 @@ public:
    SmXMLRowContext_Impl(SmXMLImport &rImport,sal_uInt16 nPrefix,
        const OUString& rLName)
        : SmXMLDocContext_Impl(rImport,nPrefix,rLName)
-        { nElementCount = GetSmImport().GetNodeStack().size(); }
+        , nElementCount(GetSmImport().GetNodeStack().size())
+    {
+    }

    virtual SvXMLImportContextRef CreateChildContext(sal_uInt16 nPrefix, const OUString& rLocalName, const uno::Reference< xml::sax::XAttributeList > &xAttrList) override;

@@ -916,7 +933,6 @@ public:
    void EndElement() override;
 };

-
 class SmXMLEncloseContext_Impl : public SmXMLRowContext_Impl
 {
 public:

--- a/starmath/source/mathmlimport.hxx
+++ b/starmath/source/mathmlimport.hxx
@@ -80,6 +80,7 @@ class SmXMLImport : public SvXMLImport

        SmNodeStack aNodeStack;
        bool bSuccess;
+        int nParseDepth;
        OUString aText;

 public:
@@ -181,6 +182,10 @@ public:

    virtual void SetViewSettings(const css::uno::Sequence<css::beans::PropertyValue>& aViewProps) override;
    virtual void SetConfigurationSettings(const css::uno::Sequence<css::beans::PropertyValue>& aViewProps) override;
+
+    void IncParseDepth() { ++nParseDepth; }
+    bool TooDeep() const { return nParseDepth >= 2048; }
+    void DecParseDepth() { --nParseDepth; }
 };