Stop using maxParserDepth in xpath.c

Only use a single maxDepth value.
2025-03-19 14:50:07 +03:00 · 2020-08-17 03:37:18 +02:00 · 2020-08-17 03:37:18 +02:00 · 804c52978f
commit 804c52978f
parent 74dcc10b55
2 changed files with 7 additions and 5 deletions
--- a/fuzz/xpath.c
+++ b/fuzz/xpath.c
@ -34,8 +34,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
        xmlXPathContextPtr xpctxt = xmlXPathNewContext(doc);

        /* Resource limits to avoid timeouts and call stack overflows */
-        xpctxt->maxParserDepth = 15;
-        xpctxt->maxDepth = 100;
+        xpctxt->maxDepth = 500;
        xpctxt->opLimit = 500000;

        xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
--- a/xpath.c
+++ b/xpath.c
@ -6119,7 +6119,6 @@ xmlXPathNewContext(xmlDocPtr doc) {
    ret->proximityPosition = -1;

    ret->maxDepth = INT_MAX;
-    ret->maxParserDepth = INT_MAX;

 #ifdef XP_DEFAULT_CACHE_ON
    if (xmlXPathContextSetCache(ret, 1, -1, 0) == -1) {
@ -10948,9 +10947,13 @@ xmlXPathCompileExpr(xmlXPathParserContextPtr ctxt, int sort) {
    xmlXPathContextPtr xpctxt = ctxt->context;

    if (xpctxt != NULL) {
-        if (xpctxt->depth >= xpctxt->maxParserDepth)
+        if (xpctxt->depth >= xpctxt->maxDepth)
            XP_ERROR(XPATH_RECURSION_LIMIT_EXCEEDED);
-        xpctxt->depth += 1;
+        /*
+         * Parsing a single '(' pushes about 10 functions on the call stack
+         * before recursing!
+         */
+        xpctxt->depth += 10;
    }

    xmlXPathCompAndExpr(ctxt);