Added: introduced constants for defining the upper limit

HeikoBoettger-KarlStorz · HeikoBoettger-KarlStorz · commit d6686c9590bd · 2024-12-06T12:58:01.000+01:00
diff --git a/yaml/src/main/java/com/fasterxml/jackson/dataformat/yaml/YAMLAnchorReplayingParser.java b/yaml/src/main/java/com/fasterxml/jackson/dataformat/yaml/YAMLAnchorReplayingParser.java
@@ -42,6 +42,21 @@ public AnchorContext(String anchor) {
         }
     }
 
+    /**
+     *  the maximum number of events that can be replayed
+     */
+    public static final int MAX_EVENTS = 9999;
+
+    /**
+     * the maximum limit of anchors to remember
+     */
+    public static final int MAX_ANCHORS = 9999;
+
+    /**
+     * the maximum limit of merges to follow
+     */
+    public static final int MAX_MERGES = 9999;
+
     /**
      * Remembers when a merge has been started in order to skip the corresponding
      * sequence end which needs to be excluded
@@ -73,9 +88,12 @@ public YAMLAnchorReplayingParser(IOContext ctxt, int parserFeatures, int formatF
     }
 
     private void finishContext(AnchorContext context) {
+        if (referencedObjects.size() + 1 > MAX_REFS) throw new IllegalStateException("too many references in the document");
         referencedObjects.put(context.anchor, context.events);
         if (!tokenStack.isEmpty()) {
-            tokenStack.peek().events.addAll(context.events);
+            List<Event> events = tokenStack.peek().events;
+            if (events.size() + context.events.size() > MAX_EVENTS) throw new IllegalStateException("too many events to replay");
+            events.addAll(context.events);
         }
     }
 
@@ -118,6 +136,7 @@ protected Event getEvent() {
             AliasEvent alias = (AliasEvent) event;
             List<Event> events = referencedObjects.get(alias.getAnchor());
             if (events != null) {
+                if (refEvents.size() + events.size() > MAX_EVENTS) throw new IllegalStateException("too many events to replay");
                 refEvents.addAll(events);
                 return refEvents.removeFirst();
             }
@@ -130,6 +149,7 @@ protected Event getEvent() {
                 AnchorContext context = new AnchorContext(anchor);
                 context.events.add(event);
                 if (event instanceof CollectionStartEvent) {
+                    if (tokenStack.size() + 1 > MAX_ANCHORS) throw new IllegalStateException("too many anchors in the document");
                     tokenStack.push(context);
                 } else {
                     // directly store it
@@ -145,6 +165,7 @@ protected Event getEvent() {
                 // expect next node to be a map
                 Event next = getEvent();
                 if (next instanceof MappingStartEvent) {
+                    if (mergeStack.size() + 1 > MAX_MERGES) throw new IllegalStateException("too many merges in the document");
                     mergeStack.push(globalDepth);
                     return getEvent();
                 }
@@ -154,6 +175,7 @@ protected Event getEvent() {
 
         if (!tokenStack.isEmpty()) {
             AnchorContext context = tokenStack.peek();
+            if (context.events.size() + 1 > MAX_EVENTS) throw new IllegalStateException("too many events to replay");
             context.events.add(event);
             if (event instanceof CollectionStartEvent) {
                 ++context.depth;
