forked from premiere/premiere-libtorrent
capped the allowed depth in bencoded messages, to avoid triggering stack overflows by malformed messages
This commit is contained in:
parent
61bbc6e58f
commit
ebde862341
|
@ -229,8 +229,14 @@ namespace libtorrent
|
|||
}
|
||||
|
||||
template<class InIt>
|
||||
void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err)
|
||||
void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err, int depth)
|
||||
{
|
||||
if (depth >= 100)
|
||||
{
|
||||
err = true;
|
||||
return;
|
||||
}
|
||||
|
||||
if (in == end)
|
||||
{
|
||||
err = true;
|
||||
|
@ -268,7 +274,7 @@ namespace libtorrent
|
|||
{
|
||||
ret.list().push_back(entry());
|
||||
entry& e = ret.list().back();
|
||||
bdecode_recursive(in, end, e, err);
|
||||
bdecode_recursive(in, end, e, err, depth + 1);
|
||||
if (err)
|
||||
{
|
||||
#ifndef NDEBUG
|
||||
|
@ -301,7 +307,7 @@ namespace libtorrent
|
|||
while (*in != 'e')
|
||||
{
|
||||
entry key;
|
||||
bdecode_recursive(in, end, key, err);
|
||||
bdecode_recursive(in, end, key, err, depth + 1);
|
||||
if (err || key.type() != entry::string_t)
|
||||
{
|
||||
#ifndef NDEBUG
|
||||
|
@ -310,7 +316,7 @@ namespace libtorrent
|
|||
return;
|
||||
}
|
||||
entry& e = ret[key.string()];
|
||||
bdecode_recursive(in, end, e, err);
|
||||
bdecode_recursive(in, end, e, err, depth + 1);
|
||||
if (err)
|
||||
{
|
||||
#ifndef NDEBUG
|
||||
|
@ -386,7 +392,7 @@ namespace libtorrent
|
|||
{
|
||||
entry e;
|
||||
bool err = false;
|
||||
detail::bdecode_recursive(start, end, e, err);
|
||||
detail::bdecode_recursive(start, end, e, err, 0);
|
||||
TORRENT_ASSERT(e.m_type_queried == false);
|
||||
if (err)
|
||||
{
|
||||
|
@ -405,7 +411,7 @@ namespace libtorrent
|
|||
entry e;
|
||||
bool err = false;
|
||||
InIt s = start;
|
||||
detail::bdecode_recursive(start, end, e, err);
|
||||
detail::bdecode_recursive(start, end, e, err, 0);
|
||||
len = std::distance(s, start);
|
||||
TORRENT_ASSERT(len >= 0);
|
||||
if (err)
|
||||
|
|
Loading…
Reference in New Issue