summaryrefslogtreecommitdiff
path: root/Userland/Libraries/LibSQL
diff options
context:
space:
mode:
authorTimothy Flynn <trflynn89@pm.me>2021-06-05 09:55:16 -0400
committerAli Mohammad Pur <Ali.mpfard@gmail.com>2021-06-05 23:48:18 +0430
commitf8f36effc9d3fdcf8b780ea2c80bf2fbf9241b8a (patch)
treed15f1dcb3b63d94f383144cf23e9e3d053ca1692 /Userland/Libraries/LibSQL
parent3d9bcb860ea8e5caec376a6380ad177bbd3b9172 (diff)
downloadserenity-f8f36effc9d3fdcf8b780ea2c80bf2fbf9241b8a.zip
LibSQL: Limit the allowed depth of an expression tree
According to the definition at https://sqlite.org/lang_expr.html, SQL expressions could be infinitely deep. For practicality, SQLite enforces a maxiumum expression tree depth of 1000. Apply the same limit in LibSQL to avoid stack overflow in the expression parser. Fixes https://crbug.com/oss-fuzz/34859.
Diffstat (limited to 'Userland/Libraries/LibSQL')
-rw-r--r--Userland/Libraries/LibSQL/Parser.cpp6
-rw-r--r--Userland/Libraries/LibSQL/Parser.h6
2 files changed, 12 insertions, 0 deletions
diff --git a/Userland/Libraries/LibSQL/Parser.cpp b/Userland/Libraries/LibSQL/Parser.cpp
index 26d3fac53f..d3de815094 100644
--- a/Userland/Libraries/LibSQL/Parser.cpp
+++ b/Userland/Libraries/LibSQL/Parser.cpp
@@ -352,6 +352,11 @@ RefPtr<CommonTableExpressionList> Parser::parse_common_table_expression_list()
NonnullRefPtr<Expression> Parser::parse_expression()
{
+ if (++m_parser_state.m_current_expression_depth > Limits::maximum_expression_tree_depth) {
+ syntax_error(String::formatted("Exceeded maximum expression tree depth of {}", Limits::maximum_expression_tree_depth));
+ return create_ast_node<ErrorExpression>();
+ }
+
// https://sqlite.org/lang_expr.html
auto expression = parse_primary_expression();
@@ -362,6 +367,7 @@ NonnullRefPtr<Expression> Parser::parse_expression()
// FIXME: Parse 'function-name'.
// FIXME: Parse 'raise-function'.
+ --m_parser_state.m_current_expression_depth;
return expression;
}
diff --git a/Userland/Libraries/LibSQL/Parser.h b/Userland/Libraries/LibSQL/Parser.h
index 74595a3b7e..e9f202514d 100644
--- a/Userland/Libraries/LibSQL/Parser.h
+++ b/Userland/Libraries/LibSQL/Parser.h
@@ -14,6 +14,11 @@
namespace SQL {
+namespace Limits {
+// https://www.sqlite.org/limits.html
+constexpr size_t maximum_expression_tree_depth = 1000;
+}
+
class Parser {
struct Position {
size_t line { 0 };
@@ -48,6 +53,7 @@ private:
Lexer m_lexer;
Token m_token;
Vector<Error> m_errors;
+ size_t m_current_expression_depth { 0 };
};
NonnullRefPtr<Statement> parse_statement();
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-14 23:47:32 +0000