src/lib/MSPUBParser2k.cpp | 5 +++++
1 file changed, 5 insertions(+)
New commits:
commit 7a7bf1b6dc0229e308d284c21257ed1b6b707f03
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri May 22 16:28:15 2026 +0000
Commit: Caolán McNamara <[email protected]>
CommitDate: Fri May 22 20:54:47 2026 +0200
cap parse2kShapeChunk recursion depth too
Reuse the same MAX_SHAPE_GROUP_DEPTH cap of 100.
Change-Id: Id5de73564151adf6237292543fd93c03384bbda1
Reviewed-on: https://gerrit.libreoffice.org/c/libmspub/+/205564
Tested-by: Caolán McNamara <[email protected]>
Reviewed-by: Caolán McNamara <[email protected]>
diff --git a/src/lib/MSPUBParser2k.cpp b/src/lib/MSPUBParser2k.cpp
index eaef631..3db3e0d 100644
--- a/src/lib/MSPUBParser2k.cpp
+++ b/src/lib/MSPUBParser2k.cpp
@@ -28,6 +28,9 @@ namespace libmspub
namespace
{
+// Matches the parseShapeGroup cap in MSPUBParser.cpp; see comment there.
+constexpr unsigned MAX_SHAPE_GROUP_DEPTH = 100;
+
class ChunkNestingGuard
{
public:
@@ -511,6 +514,8 @@ bool MSPUBParser2k::parse2kShapeChunk(const
ContentChunkReference &chunk, librev
MSPUB_DEBUG_MSG(("chunk %u is nested in itself", chunk.seqNum));
return false;
}
+ if (m_chunksBeingRead.size() >= MAX_SHAPE_GROUP_DEPTH)
+ return false;
const ChunkNestingGuard guard(m_chunksBeingRead, chunk.seqNum);
unsigned page = pageSeqNum.get_value_or(chunk.parentSeqNum);
