From 50b7122798ee8783ac52dacf7f1f9cb41d3be160 Mon Sep 17 00:00:00 2001
From: AnotherTest <ali.mpfard@gmail.com>
Date: Mon, 30 Nov 2020 17:32:48 +0330
Subject: Shell: Error out when an expression is nested too deep

That can happen with too many nested parenthesis, for instance.
This commit sets the maximum allowed limit to 2048 (seems relatively
safe for normal code).
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28105&q=label%3AProj-serenity
---
 Shell/Parser.cpp | 3 +++
 Shell/Parser.h   | 1 +
 2 files changed, 4 insertions(+)

(limited to 'Shell')

diff --git a/Shell/Parser.cpp b/Shell/Parser.cpp
index d7d173cb98..e3c43c0ed4 100644
--- a/Shell/Parser.cpp
+++ b/Shell/Parser.cpp
@@ -959,6 +959,9 @@ RefPtr<AST::Node> Parser::parse_list_expression()
 RefPtr<AST::Node> Parser::parse_expression()
 {
     auto rule_start = push_start();
+    if (m_rule_start_offsets.size() > max_allowed_nested_rule_depth)
+        return create<AST::SyntaxError>(String::formatted("Expression nested too deep (max allowed is {})", max_allowed_nested_rule_depth));
+
     auto starting_char = peek();
 
     auto read_concat = [&](auto&& expr) -> NonnullRefPtr<AST::Node> {
diff --git a/Shell/Parser.h b/Shell/Parser.h
index cf5ee4eb6d..5fe34308b5 100644
--- a/Shell/Parser.h
+++ b/Shell/Parser.h
@@ -51,6 +51,7 @@ public:
     SavedOffset save_offset() const;
 
 private:
+    constexpr static size_t max_allowed_nested_rule_depth = 2048;
     RefPtr<AST::Node> parse_toplevel();
     RefPtr<AST::Node> parse_sequence();
     RefPtr<AST::Node> parse_function_decl();
-- 
cgit v1.2.3