Merge commit from fork

alexander-fenster · web-flow · commit f1d57274da2b · 2026-04-17T07:32:33.000-07:00
* fix: limit depth of recursion in Reader.prototype.skipType

* fix: use Reader.skipTypeMaxDepth as a limit
diff --git a/src/reader.js b/src/reader.js
@@ -352,12 +352,19 @@ Reader.prototype.skip = function skip(length) {
     return this;
 };
 
+// Recursion depth limit in skipType
+Reader.skipTypeMaxDepth = 100;
+
 /**
  * Skips the next element of the specified wire type.
  * @param {number} wireType Wire type received
+ * @param {number} [depth] Depth of recursion to control nested calls; 0 if omitted
  * @returns {Reader} `this`
  */
-Reader.prototype.skipType = function(wireType) {
+Reader.prototype.skipType = function(wireType, depth) {
+    if (depth === undefined) depth = 0;
+    if (depth > Reader.skipTypeMaxDepth)
+        throw Error("maximum nesting depth exceeded");
     switch (wireType) {
         case 0:
             this.skip();
@@ -370,7 +377,7 @@ Reader.prototype.skipType = function(wireType) {
             break;
         case 3:
             while ((wireType = this.uint32() & 7) !== 4) {
-                this.skipType(wireType);
+                this.skipType(wireType, depth + 1);
             }
             break;
         case 5:
diff --git a/tests/api_writer-reader.js b/tests/api_writer-reader.js
@@ -129,6 +129,22 @@ tape.test("writer & reader", function(test) {
         test.end();
     });
 
+    test.throws(function() {
+      const root = protobuf.Root.fromJSON({
+        nested: {
+          MyMessage: {
+            fields: {
+              name: { type: "string", id: 1 }
+            }
+          }
+        }
+      });
+      const MyMessage = root.lookupType("MyMessage");
+      // 0x7B (field 15, wire type 3 = start group)
+      const payload = Buffer.alloc(50000, 0x7B);
+      MyMessage.decode(payload);
+    }, /maximum nesting depth exceeded/, "limits recursion in reader");
+
     test.end();
 });
 
@@ -178,4 +194,4 @@ function expect(type, value, expected, WriterToTest) {
         }
     }
     return true;
-}
+}
