[release-branch.go1.17] go/parser: limit recursion depth - go

diff options

author	Roland Shoemaker <bracewell@google.com>	2022-06-15 10:43:05 -0700
committer	Michael Knyszek <mknyszek@google.com>	2022-07-12 15:20:29 +0000
commit	ba8788ebcead55e99e631c6a1157ad7b35535d11 (patch)
tree	8da196067cd8f4dc227dd636539be87566ad3053 /src/compress/gzip/gunzip.go
parent	2678d0c957193dceef336c969a9da74dd716a827 (diff)
download	go-ba8788ebcead55e99e631c6a1157ad7b35535d11.tar.gz go-ba8788ebcead55e99e631c6a1157ad7b35535d11.zip

[release-branch.go1.17] go/parser: limit recursion depth

Limit nested parsing to 100,000, which prevents stack exhaustion when parsing deeply nested statements, types, and expressions. Also limit the scope depth to 1,000 during object resolution. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #53707 Updates #53616 Fixes CVE-2022-1962 Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83) Reviewed-on: https://go-review.googlesource.com/c/go/+/417070 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>

Diffstat (limited to 'src/compress/gzip/gunzip.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: