From cedbe8f7a1f0d174636e70de68d85499d8025000 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Mon, 28 Mar 2022 18:41:26 -0700 Subject: [PATCH 08/11] [release-branch.go1.17] encoding/xml: use iterative Skip, rather than recursive Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes #53711 Updates #53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu Reviewed-by: Damien Neil (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot Reviewed-by: Heschi Kreinick Run-TryBot: Michael Knyszek Conflict: NA Reference: https://go-review.googlesource.com/c/go/+/417068 --- src/encoding/xml/read.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go index e0ed8b527ce..c77579880cb 100644 --- a/src/encoding/xml/read.go +++ b/src/encoding/xml/read.go @@ -743,12 +743,12 @@ Loop: } // Skip reads tokens until it has consumed the end element -// matching the most recent start element already consumed. -// It recurs if it encounters a start element, so it can be used to -// skip nested structures. +// matching the most recent start element already consumed, +// skipping nested structures. // It returns nil if it finds an end element matching the start // element; otherwise it returns an error describing the problem. func (d *Decoder) Skip() error { + var depth int64 for { tok, err := d.Token() if err != nil { @@ -756,11 +756,12 @@ func (d *Decoder) Skip() error { } switch tok.(type) { case StartElement: - if err := d.Skip(); err != nil { - return err - } + depth++ case EndElement: - return nil + if depth == 0 { + return nil + } + depth-- } } } -- 2.30.2