Merge pull request #687 from tomtau/fix/fuzz-crash

fix: not clear queue when exceeding a call limit
pest-parser · Aug 13, 2022 · b6c482e · b6c482e
2 parents 23bd5e2 + 10fe82a
commit b6c482e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/meta/resources/test/fuzzsample4.grammar b/meta/resources/test/fuzzsample4.grammar
@@ -0,0 +1 @@
+f={f{/*/*6/*6/*6/*5/*6*6/*6/*6/*5/*7//*
diff --git a/meta/src/parser.rs b/meta/src/parser.rs
@@ -1518,6 +1518,10 @@ mod tests {
             env!("CARGO_MANIFEST_DIR"),
             "/resources/test/fuzzsample3.grammar"
         ));
+        let sample4 = include_str!(concat!(
+            env!("CARGO_MANIFEST_DIR"),
+            "/resources/test/fuzzsample4.grammar"
+        ));
         const ERROR: &str = "call limit reached";
         pest::set_call_limit(Some(25_000usize.try_into().unwrap()));
         let s1 = crate::parser::parse(crate::parser::Rule::grammar_rules, sample1);
@@ -1529,5 +1533,8 @@ mod tests {
         let s3 = crate::parser::parse(crate::parser::Rule::grammar_rules, sample3);
         assert!(s3.is_err());
         assert_eq!(s3.unwrap_err().variant.message(), ERROR);
+        let s4 = crate::parser::parse(crate::parser::Rule::grammar_rules, sample4);
+        assert!(s4.is_err());
+        assert_eq!(s4.unwrap_err().variant.message(), ERROR);
     }
 }
diff --git a/pest/src/parser_state.rs b/pest/src/parser_state.rs
@@ -228,7 +228,6 @@ impl<'i, R: RuleType> ParserState<'i, R> {
     #[inline]
     fn inc_call_check_limit(mut self: Box<Self>) -> ParseResult<Box<Self>> {
         if self.call_tracker.limit_reached() {
-            self.queue.clear();
             return Err(self);
         }
         self.call_tracker.increment_depth();