@@ -40,6 +40,7 @@ typedef struct
4040 GF_List * identifiers ;
4141 char * new_line ;
4242 u32 indent ;
43+ u32 expr_stack_size ;
4344} ScriptParser ;
4445
4546
@@ -169,6 +170,7 @@ GF_Err SFScript_Parse(GF_BifsDecoder *codec, SFScript *script_field, GF_BitStrea
169170 e = GF_OK ;
170171 if (gf_node_get_tag (n ) != TAG_MPEG4_Script ) return GF_NON_COMPLIANT_BITSTREAM ;
171172
173+ memset (& parser , 0 , sizeof (ScriptParser ));
172174 parser .codec = codec ;
173175 parser .script = n ;
174176 parser .bs = bs ;
@@ -209,6 +211,10 @@ GF_Err SFScript_Parse(GF_BifsDecoder *codec, SFScript *script_field, GF_BitStrea
209211 SFS_Space (& parser );
210212 SFS_StatementBlock (& parser , GF_TRUE );
211213 SFS_Line (& parser );
214+ if (codec -> LastError ) {
215+ e = codec -> LastError ;
216+ goto exit ;
217+ }
212218 }
213219
214220 SFS_Line (& parser );
@@ -418,6 +424,7 @@ void SFS_CompoundExpression(ScriptParser *parser)
418424 if (parser -> codec -> LastError ) return ;
419425 SFS_Expression (parser );
420426 if (! gf_bs_read_int (parser -> bs , 1 )) return ;
427+ if (parser -> codec -> LastError ) return ;
421428 SFS_AddString (parser , "," );
422429 SFS_CompoundExpression (parser );
423430}
@@ -430,12 +437,20 @@ void SFS_OptionalExpression(ScriptParser *parser)
430437 }
431438}
432439
433-
440+ #define MAX_EXPR_STACK 500
434441void SFS_Expression (ScriptParser * parser )
435442{
436443 u32 val = gf_bs_read_int (parser -> bs , NUMBITS_EXPR_TYPE );
437444 if (parser -> codec -> LastError ) return ;
438445
446+ //limit max expression stack size
447+ parser -> expr_stack_size ++ ;
448+ if (parser -> expr_stack_size > MAX_EXPR_STACK ) {
449+ GF_LOG (GF_LOG_ERROR , GF_LOG_CODEC , ("[BIFS] Max stack size %d reached for expressions, not supported\n" , MAX_EXPR_STACK ))
450+ parser -> codec -> LastError = GF_NON_COMPLIANT_BITSTREAM ;
451+ return ;
452+ }
453+
439454 switch (val ) {
440455 case ET_CURVED_EXPR :
441456 SFS_AddString (parser , "(" );
@@ -675,6 +690,7 @@ void SFS_Expression(ScriptParser *parser)
675690 parser -> codec -> LastError = GF_NON_COMPLIANT_BITSTREAM ;
676691 break ;
677692 }
693+ parser -> expr_stack_size -- ;
678694}
679695
680696void SFS_NewObject (ScriptParser * parser )
@@ -691,6 +707,7 @@ void SFS_ArrayDeref(ScriptParser *parser)
691707{
692708 if (parser -> codec -> LastError ) return ;
693709 SFS_Expression (parser );
710+ if (parser -> codec -> LastError ) return ;
694711 SFS_AddString (parser , "[" );
695712 SFS_CompoundExpression (parser );
696713 SFS_AddString (parser , "]" );
@@ -709,6 +726,7 @@ void SFS_ObjectMemberAccess(ScriptParser *parser)
709726{
710727 if (parser -> codec -> LastError ) return ;
711728 SFS_Expression (parser );
729+ if (parser -> codec -> LastError ) return ;
712730 SFS_AddString (parser , "." );
713731 SFS_Identifier (parser );
714732}
@@ -718,6 +736,7 @@ void SFS_ObjectMethodCall(ScriptParser *parser)
718736{
719737 if (parser -> codec -> LastError ) return ;
720738 SFS_Expression (parser );
739+ if (parser -> codec -> LastError ) return ;
721740 SFS_AddString (parser , "." );
722741 SFS_Identifier (parser );
723742 SFS_AddString (parser , "(" );
@@ -732,6 +751,7 @@ void SFS_Params(ScriptParser *parser)
732751 val = gf_bs_read_int (parser -> bs , 1 );
733752 while (val ) {
734753 SFS_Expression (parser );
754+ if (parser -> codec -> LastError ) return ;
735755 val = gf_bs_read_int (parser -> bs , 1 );
736756 if (val ) SFS_AddString (parser , "," );
737757 }
0 commit comments