Dead loop if recursively visiting left or right child node #3
Description
In function EnumNodes( ), level limit is not increased for left or right sibling node, only increased for child node.
So for a maliciously crafted CFB file, there is a chance to do endless recursion(root -> left -> left -> left ...).
Here is my modified source code to add recursion depth limit.
maliciously crafted CFB file also attached:
endless.zip
void EnumFiles(const COMPOUND_FILE_ENTRY* entry, int maxLevel, EnumFilesCallback callback) const
{
utf16string dir;
unsigned int depth = 0;
EnumNodes(GetEntry(entry->childID), 0, maxLevel, dir, callback, depth);
}
private:
static constexpr unsigned int MAX_RECURSIVE_DEPTH = 5;
// Enum entries with same level, including 'entry' itself
void EnumNodes(const COMPOUND_FILE_ENTRY* entry, int currentLevel, int maxLevel,
const utf16string &dir, EnumFilesCallback callback, unsigned int depth) const
{
if (++depth > MAX_RECURSIVE_DEPTH)
return;
if (maxLevel > 0 && currentLevel >= maxLevel)
return;
if (entry == nullptr)
return;
callback(entry, dir, currentLevel + 1);
const COMPOUND_FILE_ENTRY* child = GetEntry(entry->childID);
if (child != nullptr)
{
utf16string newDir = dir;
if (dir.length() != 0)
newDir.append(1, '\n');
newDir.append(entry->name, entry->nameLen / 2);
EnumNodes(GetEntry(entry->childID), currentLevel + 1, maxLevel, newDir, callback, depth);
}
EnumNodes(GetEntry(entry->leftSiblingID), currentLevel, maxLevel, dir, callback, depth);
EnumNodes(GetEntry(entry->rightSiblingID), currentLevel, maxLevel, dir, callback, depth);
}