mirror of
https://github.com/RGBCube/serenity
synced 2025-05-27 12:45:08 +00:00
48e4fb239a
When parse_expression looks at '$((', there are two ways it can end up
in parse_expression again, three consumed characters later. All these
ways fail, so what happened was that the parser tried all possible
combinations, hence taking potentially an exponential amount of time.
1. parse_evaluate swallows the '$(', a new invocation of
parse_expression swallows the other '(', and through
parse_list_expression we're at another parse_expression.
2. parse_evaluate swallows the '$(', but returns a SyntaxError.
parse_expression used to not recognize the error, and treated it as a
regular AST node, calling into read_concat, then a new invocation of
parse_expression swallows the other '(', and through
parse_list_expression we're at another parse_expression.
Fixes #10561.
Found by OSS Fuzz, long-standing issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28113
|
||
|---|---|---|
| .. | ||
| Tests | ||
| AST.cpp | ||
| AST.h | ||
| Builtin.cpp | ||
| CMakeLists.txt | ||
| Execution.h | ||
| Formatter.cpp | ||
| Formatter.h | ||
| Forward.h | ||
| ImmediateFunctions.cpp | ||
| Job.cpp | ||
| Job.h | ||
| main.cpp | ||
| NodeVisitor.cpp | ||
| NodeVisitor.h | ||
| Parser.cpp | ||
| Parser.h | ||
| Shell.cpp | ||
| Shell.h | ||
| SyntaxHighlighter.cpp | ||
| SyntaxHighlighter.h | ||