gvariant-parser: Reject deeply-nested typedecls in text form variants

Return `G_VARIANT_PARSE_ERROR_RECURSION` from `g_variant_parse()` if a typedecl is found within a text-form variant which would cause any part of the variant to exceed the maximum allowed recursion/nesting depth. This fixes an oversight when `G_VARIANT_MAX_RECURSION_DEPTH` was implemented, which allowed typedecls to effectively multiply the size of an array if `g_variant_parse()` was parsing a text-form variant without a top-level concrete type specified. Signed-off-by: Philip Withnall <pwithnall@endlessos.org> Fixes: #2782 oss-fuzz#49462
2025-10-26 05:52:16 +01:00 · 2022-10-18 12:43:22 +01:00
parent 9164fdcbbb
commit 3e313438f1
2 changed files with 41 additions and 0 deletions
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -2231,6 +2231,16 @@ typedecl_parse (TokenStream  *stream,
          return NULL;
        }

+      if (g_variant_type_string_get_depth_ (token + 1) > max_depth)
+        {
+          token_stream_set_error (stream, error, TRUE,
+                                  G_VARIANT_PARSE_ERROR_RECURSION,
+                                  "type declaration recurses too deeply");
+          g_free (token);
+
+          return NULL;
+        }
+
      type = g_variant_type_new (token + 1);

      if (!g_variant_type_is_definite (type))