capped the allowed depth in bencoded messages, to avoid triggering stack overflows by malformed messages

include/libtorrent/bencode.hpp

@@ -229,8 +229,14 @@ namespace libtorrent
 		}
 
 		template<class InIt>
-		void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err)
+		void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err, int depth)
 		{
+			if (depth >= 100)
+			{
+				err = true;
+				return;
+			}
+
 			if (in == end)
 			{
 				err = true;
@@ -268,7 +274,7 @@ namespace libtorrent
 				{
 					ret.list().push_back(entry());
 					entry& e = ret.list().back();
-					bdecode_recursive(in, end, e, err);
+					bdecode_recursive(in, end, e, err, depth + 1);
 					if (err)
 					{
 #ifndef NDEBUG
@@ -301,7 +307,7 @@ namespace libtorrent
 				while (*in != 'e')
 				{
 					entry key;
-					bdecode_recursive(in, end, key, err);
+					bdecode_recursive(in, end, key, err, depth + 1);
 					if (err || key.type() != entry::string_t)
 					{	
 #ifndef NDEBUG
@@ -310,7 +316,7 @@ namespace libtorrent
 						return;
 					}
 					entry& e = ret[key.string()];
-					bdecode_recursive(in, end, e, err);
+					bdecode_recursive(in, end, e, err, depth + 1);
 					if (err)
 					{
 #ifndef NDEBUG
@@ -386,7 +392,7 @@ namespace libtorrent
 	{
 		entry e;
 		bool err = false;
-		detail::bdecode_recursive(start, end, e, err);
+		detail::bdecode_recursive(start, end, e, err, 0);
 		TORRENT_ASSERT(e.m_type_queried == false);
 		if (err)
 		{
@@ -405,7 +411,7 @@ namespace libtorrent
 		entry e;
 		bool err = false;
 		InIt s = start;
-		detail::bdecode_recursive(start, end, e, err);
+		detail::bdecode_recursive(start, end, e, err, 0);
 		len = std::distance(s, start);
 		TORRENT_ASSERT(len >= 0);
 		if (err)