Check recursion in JSParserImpl::parseBindingElement

Summary: This additional recursion check avoids a crash on: var v2 = "[".repeat(100000); var v5 = Function(v2,"return 0"); Reviewed By: tmikov Differential Revision: D24060561 fbshipit-source-id: 8f7d81b81d68b5c729338e6a39f103a3e4d1c3f2
calebmackdavenport · Oct 2, 2020 · 551de84 · 551de84
1 parent 11a30af
commit 551de84
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/lib/Parser/JSParserImpl.cpp b/lib/Parser/JSParserImpl.cpp
@@ -1102,6 +1102,7 @@ Optional<ESTree::ArrayPatternNode *> JSParserImpl::parseArrayBindingPattern(
 }
 
 Optional<ESTree::Node *> JSParserImpl::parseBindingElement(Param param) {
+  CHECK_RECURSION;
   ESTree::Node *elem;
 
   if (check(TokenKind::l_square, TokenKind::l_brace)) {

diff --git a/test/Parser/large-nested-binding.js b/test/Parser/large-nested-binding.js
@@ -0,0 +1,12 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: ( ! %hermes %s 2>&1 ) | %FileCheck --match-full-lines %s
+
+var v2 = "[".repeat(100000);
+// CHECK: {{.*}}Too many nested expressions/statements/declarations{{.*}}
+var v5 = Function(v2,"return 0");