From f1d49d391ee3b466b758e8d6d2301eccd1eb382c Mon Sep 17 00:00:00 2001 From: Ali Mohammad Pur Date: Sat, 1 May 2021 11:03:18 +0430 Subject: [PATCH] Shell: Disallow non-bareword nodes as part of a heredoc key Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33854 --- Userland/Shell/Parser.cpp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/Userland/Shell/Parser.cpp b/Userland/Shell/Parser.cpp index 0507f055cd..7d980909df 100644 --- a/Userland/Shell/Parser.cpp +++ b/Userland/Shell/Parser.cpp @@ -1943,10 +1943,14 @@ RefPtr Parser::parse_heredoc_initiation_record() // StringLiteral | bareword if (auto bareword = parse_bareword()) { - if (bareword->is_syntax_error()) - syntax_error_node = bareword->syntax_error_node(); - else - record.end = static_cast(bareword.ptr())->text(); + if (!bareword->is_bareword()) { + syntax_error_node = create(String::formatted("Expected a bareword or a quoted string, not {}", bareword->class_name())); + } else { + if (bareword->is_syntax_error()) + syntax_error_node = bareword->syntax_error_node(); + else + record.end = static_cast(bareword.ptr())->text(); + } record.interpolate = true; } else if (peek() == '\'') { @@ -1981,6 +1985,10 @@ bool Parser::parse_heredoc_entries() // Try to parse heredoc entries, as reverse recorded in the initiation records for (auto& record : m_heredoc_initiations) { auto rule_start = push_start(); + if (m_rule_start_offsets.size() > max_allowed_nested_rule_depth) { + record.node->set_is_syntax_error(*create(String::formatted("Expression nested too deep (max allowed is {})", max_allowed_nested_rule_depth))); + continue; + } bool found_key = false; if (!record.interpolate) { // Since no interpolation is allowed, just read lines until we hit the key