Detect infinite recursion when evaluating function arguments

This fixes a regression introduced when consolidating recursion checks in commit 1c8e0e5. When a function is called recursively during evaluation of its arguments, the recursion check in xsltApplySequenceConstructor is never reached. Readd recursion check in exsltFuncFunctionFunction but use the template depth counter. Fixes bug #777293: https://bugzilla.gnome.org/show_bug.cgi?id=777293
2025-08-08 21:42:07 +03:00 · 2017-01-16 14:53:00 +01:00
parent 96c9c644f3
commit 8ee72e4935
5 changed files with 43 additions and 2 deletions
--- a/libexslt/functions.c
+++ b/libexslt/functions.c
@@ -331,6 +331,21 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
 	return;
    }

+    /*
+    * When a function is called recursively during evaluation of its
+    * arguments, the recursion check in xsltApplySequenceConstructor
+    * isn't reached.
+    */
+    if (tctxt->depth >= tctxt->maxTemplateDepth) {
+        xsltTransformError(tctxt, NULL, NULL,
+            "exsltFuncFunctionFunction: Potentially infinite recursion "
+            "detected in function {%s}%s.\n",
+            ctxt->context->functionURI, ctxt->context->function);
+        tctxt->state = XSLT_STATE_STOPPED;
+        return;
+    }
+    tctxt->depth++;
+
    /*
     * We have a problem with the evaluation of function parameters.
     * The original library code did not evaluate XPath expressions until
@@ -413,7 +428,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
 	xsltFreeStackElemList(params);

    if (data->error != 0)
-	return;
+        goto error;

    if (data->result != NULL) {
 	ret = data->result;
@@ -441,10 +456,13 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
 			 "executing a function\n",
 			 ctxt->context->functionURI, ctxt->context->function);
 	xmlFreeNode(fake);
-	return;
+	goto error;
    }
    xmlFreeNode(fake);
    valuePush(ctxt, ret);
+
+error:
+    tctxt->depth--;
 }