From f2667f397bd53846dd8e324053ec0fd8f8e220bf Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 5 Jul 2026 18:19:57 +0200 Subject: [PATCH] msSLDParseSLD(): limit depth to 256 Fixes #7542 --- src/mapogcfilter.cpp | 25 +++++++++++++++++++++++++ src/mapogcfilter.h | 3 +++ src/mapogcsld.cpp | 5 +++++ 3 files changed, 33 insertions(+) diff --git a/src/mapogcfilter.cpp b/src/mapogcfilter.cpp index e5e2aeca25..d376949f38 100644 --- a/src/mapogcfilter.cpp +++ b/src/mapogcfilter.cpp @@ -575,6 +575,26 @@ int FLTLayerApplyPlainFilterToLayer(FilterEncodingNode *psNode, mapObj *map, return status; } +static bool msCheckDepthLessThanInternal(const CPLXMLNode *psNode, + int nMaxDepth) { + if (nMaxDepth <= 0) + return false; + for (const CPLXMLNode *psIter = psNode->psChild; psIter; + psIter = psIter->psNext) { + if (!msCheckDepthLessThanInternal(psIter, nMaxDepth - 1)) + return false; + } + return true; +} + +bool msCheckDepthLessThan(const CPLXMLNode *psNode, int nMaxDepth) { + for (const CPLXMLNode *psIter = psNode; psIter; psIter = psIter->psNext) { + if (!msCheckDepthLessThanInternal(psIter, nMaxDepth)) + return false; + } + return true; +} + /************************************************************************/ /* FilterNode *FLTPaserFilterEncoding(char *szXMLString) */ /* */ @@ -597,6 +617,11 @@ FilterEncodingNode *FLTParseFilterEncoding(const char *szXMLString) { if (psRoot == NULL) return NULL; + if (!msCheckDepthLessThan(psRoot, 256)) { + msDebug("FLTParseFilterEncoding(): %s", "Too deep nesting in filter"); + CPLDestroyXMLNode(psRoot); + return NULL; + } /* strip namespaces. We strip all name spaces (#1350)*/ CPLStripXMLNamespace(psRoot, NULL, 1); diff --git a/src/mapogcfilter.h b/src/mapogcfilter.h index e246d092bc..32c6daf3e5 100644 --- a/src/mapogcfilter.h +++ b/src/mapogcfilter.h @@ -54,6 +54,9 @@ typedef struct { /* -------------------------------------------------------------------- */ /* prototypes. */ /* -------------------------------------------------------------------- */ + +bool msCheckDepthLessThan(const CPLXMLNode *psNode, int nMaxDepth); + MS_DLL_EXPORT int FLTIsNumeric(const char *pszValue); MS_DLL_EXPORT int FLTApplyExpressionToLayer(layerObj *lp, const char *pszExpression); diff --git a/src/mapogcsld.cpp b/src/mapogcsld.cpp index f7c0704c32..0c435f70f9 100644 --- a/src/mapogcsld.cpp +++ b/src/mapogcsld.cpp @@ -644,6 +644,11 @@ layerObj *msSLDParseSLD(mapObj *map, const char *psSLDXML, int *pnLayers) { msSetError(MS_WMSERR, "Invalid SLD document : %s", "", psSLDXML); return NULL; } + if (!msCheckDepthLessThan(psRoot, 256)) { + msSetError(MS_WMSERR, "Invalid SLD document : too deep nesting", ""); + CPLDestroyXMLNode(psRoot); + return NULL; + } /* strip namespaces ogc and sld and gml */ CPLStripXMLNamespace(psRoot, "ogc", 1);