From d9ffc81421c7dcf20d88106c5dca34ec35cb610a Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Tue, 5 Oct 2021 11:09:48 +0200 Subject: pkg/compiler: fix infinite recursion in template instantiation Fix a bug found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17240 We handled the case of infinite recursion in templates but only if the full type name matches precisely (A -> B -> A). In this case the name constantly changes due to different template arguments. Per se this is a not an error (and we have real cases that use this, e.g. when an nlattr_t contains nested nlattr_t's), but it's an error if it recurses infinitely. Restrict recursion on the same template to 10 levels. --- pkg/compiler/testdata/errors.txt | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'pkg/compiler/testdata/errors.txt') diff --git a/pkg/compiler/testdata/errors.txt b/pkg/compiler/testdata/errors.txt index 670cc0193..db653c180 100644 --- a/pkg/compiler/testdata/errors.txt +++ b/pkg/compiler/testdata/errors.txt @@ -334,6 +334,11 @@ foo$210(a ptr[in, templ11[0, 1, int8]]) ### template templ11 needs 2 arguments foo$211(a ptr[in, templ9]) ### template templ9 needs 1 arguments instead of 0 foo$212(a ptr[in, templ11[1]]) ### template templ11 needs 2 arguments instead of 1 +type TR[A, B] { + f TR[A, A[B]] ### type instantiation recursion: TR[X, Y] -> TR[X, X[Y]] -> TR[X, X[X[Y]]] -> TR[X, X[X[X[Y]]]] -> TR[X, X[X[X[X[Y]]]]] -> TR[X, X[X[X[X[X[Y]]]]]] -> TR[X, X[X[X[X[X[X[Y]]]]]]] -> TR[X, X[X[X[X[X[X[X[Y]]]]]]]] -> TR[X, X[X[X[X[X[X[X[X[Y]]]]]]]]] -> TR[X, X[X[X[X[X[X[X[X[X[Y]]]]]]]]]] -> TR[X, X[X[X[X[X[X[X[X[X[X[Y]]]]]]]]]]] -> TR[X, X[X[X[X[X[X[X[X[X[X[X[Y]]]]]]]]]]]] +} +type TU TR[X, Y] + foo$glob001(a ptr[in, glob[1]]) ### unexpected int 1, string arg must be a string literal or string flags foo$glob002(a ptr[in, glob]) ### glob only accepts 1 arg, provided 0 foo$glob003(a ptr[in, glob["/sys", 5]]) ### glob only accepts 1 arg, provided 2 -- cgit mrf-deployment