From b67d056c30cbf06542931b25da9e6e61e34ecf1a Mon Sep 17 00:00:00 2001
From: Ethan Nicholas <ethannicholas@google.com>
Date: Thu, 30 Apr 2020 16:10:00 -0400
Subject: [PATCH] SkSL parser now limits recursion on comma operator as well

Bug: oss-fuzz:19994
Change-Id: I16c434509a83f2dcd19b2fe7650218f28bfaa3cd
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/286617
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: Ethan Nicholas <ethannicholas@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
---
 src/sksl/SkSLParser.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/sksl/SkSLParser.cpp b/src/sksl/SkSLParser.cpp
index fb9c3db8d5..00378708e2 100644
--- a/src/sksl/SkSLParser.cpp
+++ b/src/sksl/SkSLParser.cpp
@@ -1513,7 +1513,11 @@ ASTNode::ID Parser::expression() {
         return ASTNode::ID::Invalid();
     }
     Token t;
+    AutoDepth depth(this);
     while (this->checkNext(Token::Kind::TK_COMMA, &t)) {
+        if (!depth.increase()) {
+            return ASTNode::ID::Invalid();
+        }
         ASTNode::ID right = this->assignmentExpression();
         if (!right) {
             return ASTNode::ID::Invalid();