]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 2924ced) | patch
[release-branch.go1.18] go/parser: limit recursion depth
authorRoland Shoemaker <bracewell@google.com>
Wed, 15 Jun 2022 17:43:05 +0000 (10:43 -0700)
committerMichael Knyszek <mknyszek@google.com>
Tue, 12 Jul 2022 15:06:26 +0000 (15:06 +0000)
commit0d1615b23f9a558aa0a1957b4c81596220eb8ec4
tree3eeefed597435656884a174d32c4c28700bcec93tree
parent2924ced71d16297320e8ff18829c2038e6ad8d9bcommit | diff
[release-branch.go1.18] go/parser: limit recursion depth

Limit nested parsing to 100,000, which prevents stack exhaustion when
parsing deeply nested statements, types, and expressions. Also limit
the scope depth to 1,000 during object resolution.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Fixes #53708
Updates #53616
Fixes CVE-2022-1962

Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417056
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
src/go/parser/interface.go diff | blob | history
src/go/parser/parser.go diff | blob | history
src/go/parser/parser_test.go diff | blob | history
src/go/parser/resolver.go diff | blob | history
Go GOST TLS 1.3