From d852ca3e46f40ffcc1b1250a962d735874c95d8c Mon Sep 17 00:00:00 2001
From: Darian Anthony Patrick <dpatrick@wikimedia.org>
Date: Mon, 25 Apr 2016 10:45:57 -0700
Subject: [PATCH] Skip shell invocation on large input

Add a sanity check to the math extension that skips shelling out to
texvc if the input is insanely large.

Bug: T129506
Change-Id: Ia7a14e60043633c8f01335edaad1561bb0475266
---
 MathInputCheckTexvc.php | 5 +++++
 MathTexvc.php           | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/MathInputCheckTexvc.php b/MathInputCheckTexvc.php
index 6d5ad66..099868f 100644
--- a/MathInputCheckTexvc.php
+++ b/MathInputCheckTexvc.php
@@ -82,6 +82,11 @@ class MathInputCheckTexvc extends MathInputCheck {
 		}
 
 		LoggerFactory::getInstance( 'Math' )->debug( "TeX check command: $cmd" );
+		if ( strlen( $cmd ) > SHELL_MAX_ARG_STRLEN ) {
+			LoggerFactory::getInstance( 'Math' )->error(
+				"User input exceeded SHELL_MAX_ARG_STRLEN." );
+			return $this->convertTexvcError('');
+		}
 		$contents = wfShellExec( $cmd );
 		LoggerFactory::getInstance( 'Math' )->debug( "TeX check result: $contents\n---" );
 
diff --git a/MathTexvc.php b/MathTexvc.php
index 113d062..282a91c 100644
--- a/MathTexvc.php
+++ b/MathTexvc.php
@@ -205,6 +205,11 @@ class MathTexvc extends MathRenderer {
 		LoggerFactory::getInstance( 'Math' )->debug( "TeX: $cmd" );
 		LoggerFactory::getInstance( 'Math' )->debug( "Executing '$cmd'." );
 		$retval = null;
+		if ( strlen( $cmd ) > SHELL_MAX_ARG_STRLEN ) {
+			LoggerFactory::getInstance( 'Math' )->error(
+				"User input exceeded SHELL_MAX_ARG_STRLEN." );
+			return $this->getError( 'math_unknown_error' );
+		}
 		$contents = wfShellExec( $cmd, $retval );
 		LoggerFactory::getInstance( 'Math' )->debug( "TeX output:\n $contents\n---" );
 
-- 
2.5.4 (Apple Git-61)