]> Cypherpunks.ru repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 08c46ed) | patch
go/parser: limit recursion depth
authorRoland Shoemaker <bracewell@google.com>
Wed, 15 Jun 2022 17:43:05 +0000 (10:43 -0700)
committerMichael Knyszek <mknyszek@google.com>
Tue, 12 Jul 2022 15:05:44 +0000 (15:05 +0000)
commit695be961d57508da5a82217f7415200a11845879
tree261aaa541ba25fa638ef2177fe192c3862cfd5a6tree
parent08c46ed43d80bbb67cb904944ea3417989be4af3commit | diff
go/parser: limit recursion depth

Limit nested parsing to 100,000, which prevents stack exhaustion when
parsing deeply nested statements, types, and expressions. Also limit
the scope depth to 1,000 during object resolution.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Fixes #53616
Fixes CVE-2022-1962

Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/417063
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
src/go/parser/interface.go diff | blob | history
src/go/parser/parser.go diff | blob | history
src/go/parser/parser_test.go diff | blob | history
src/go/parser/resolver.go diff | blob | history
Go GOST TLS 1.3