fix stack overflow by limiting the maximum depth of dotted keys (#242)

README.md

@@ -306,7 +306,8 @@ UTF-8 decoding is performed using a state machine based on Bjoern Hoehrmann's '[
 -   **[@whiterabbit963](https://github.com/whiterabbit963)** - Fixed a bug with value_or conversions
 -   **[@ximion](https://github.com/ximion)** - Added support for installation with meson
 -   **[@a-is](https://github.com/a-is)** - Fixed a bug
-  -**[@capuanob](https://github.com/capuanob)** - Integrated this project into OSSFuzz
+-   **[@capuanob](https://github.com/capuanob)** - Integrated this project into OSSFuzz
+-   **[@tyler92]** - Fixed stack overflow that occurred during fuzzing tests
 <br>
 
 ## Contact

fuzzing/build.sh

@@ -5,4 +5,4 @@ cmake -S . -B build -DBUILD_FUZZER=ON && cmake --build build --target install
 # Build the corpus using the existing toml files in the source
 mkdir -p corpus
 find $SRC/tomlplusplus -name "*.toml" -exec cp {} corpus \;
-zip -q $OUT/toml_fuzzer_seed_corpus.zip corpus/*
+zip -q -j $OUT/toml_fuzzer_seed_corpus.zip corpus/*

include/toml++/impl/parser.inl

@@ -1063,7 +1063,8 @@ TOML_IMPL_NAMESPACE_START
 	class parser
 	{
 	  private:
-		static constexpr size_t max_nested_values = TOML_MAX_NESTED_VALUES;
+		static constexpr size_t max_nested_values	  = TOML_MAX_NESTED_VALUES;
+		static constexpr size_t max_dotted_keys_depth = TOML_MAX_DOTTED_KEYS_DEPTH;
 
 		utf8_buffered_reader reader;
 		table root;
@@ -3085,6 +3086,11 @@ TOML_IMPL_NAMESPACE_START
 				// store segment
 				key_buffer.push_back(key_segment, key_begin, key_end);
 
+				if TOML_UNLIKELY(key_buffer.size() > max_dotted_keys_depth)
+					set_error_and_return_default("exceeded maximum dotted keys depth of "sv,
+												 max_dotted_keys_depth,
+												 " (TOML_MAX_DOTTED_KEYS_DEPTH)"sv);
+
 				// eof or no more key to come
 				if (is_eof() || *cp != U'.')
 					break;

include/toml++/impl/preprocessor.hpp

@@ -1182,6 +1182,10 @@
 // 256 is crazy high! if you're hitting this limit with real input, TOML is probably the wrong tool for the job...
 #endif
 
+#ifndef TOML_MAX_DOTTED_KEYS_DEPTH
+#define TOML_MAX_DOTTED_KEYS_DEPTH 1024
+#endif
+
 #ifdef TOML_CHAR_8_STRINGS
 #if TOML_CHAR_8_STRINGS
 #error TOML_CHAR_8_STRINGS was removed in toml++ 2.0.0; all value setters and getters now work with char8_t strings implicitly.

toml.hpp

@@ -1091,6 +1091,10 @@
 // 256 is crazy high! if you're hitting this limit with real input, TOML is probably the wrong tool for the job...
 #endif
 
+#ifndef TOML_MAX_DOTTED_KEYS_DEPTH
+#define TOML_MAX_DOTTED_KEYS_DEPTH 1024
+#endif
+
 #ifdef TOML_CHAR_8_STRINGS
 #if TOML_CHAR_8_STRINGS
 #error TOML_CHAR_8_STRINGS was removed in toml++ 2.0.0; all value setters and getters now work with char8_t strings implicitly.
@@ -13554,7 +13558,8 @@ TOML_IMPL_NAMESPACE_START
 	class parser
 	{
 	  private:
-		static constexpr size_t max_nested_values = TOML_MAX_NESTED_VALUES;
+		static constexpr size_t max_nested_values	  = TOML_MAX_NESTED_VALUES;
+		static constexpr size_t max_dotted_keys_depth = TOML_MAX_DOTTED_KEYS_DEPTH;
 
 		utf8_buffered_reader reader;
 		table root;
@@ -15575,6 +15580,11 @@ TOML_IMPL_NAMESPACE_START
 				// store segment
 				key_buffer.push_back(key_segment, key_begin, key_end);
 
+				if TOML_UNLIKELY(key_buffer.size() > max_dotted_keys_depth)
+					set_error_and_return_default("exceeded maximum dotted keys depth of "sv,
+												 max_dotted_keys_depth,
+												 " (TOML_MAX_DOTTED_KEYS_DEPTH)"sv);
+
 				// eof or no more key to come
 				if (is_eof() || *cp != U'.')
 					break;

tools/generate_single_header.py

@@ -231,6 +231,7 @@ def main():
 				r'TOML_LIB_PATCH',
 				r'TOML_LIB_SINGLE_HEADER',
 				r'TOML_MAX_NESTED_VALUES',
+				r'TOML_MAX_DOTTED_KEYS_DEPTH',
 				r'TOML_NAMESPACE_END',
 				r'TOML_NAMESPACE_START',
 				r'TOML_OPTIONAL_TYPE',