Merge pull request #1144 from mathjax/issue1142

Add a template substitution count to avoid infinite loop (#1142)

Author: dpvc

ts/input/tex.ts

@@ -72,6 +72,8 @@ export class TeX<N, T, D> extends AbstractInputJax<N, T, D> {
     digits: /^(?:[0-9]+(?:\{,\}[0-9]{3})*(?:\.[0-9]*)?|\.[0-9]+)/,
     // Maximum size of TeX string to process.
     maxBuffer: 5 * 1024,
+    // Maximum number of array template substitutions (avoids infinite loop from @{\\} for example)
+    maxTemplateSubtitutions: 10000,
     // math-style to use for Latin and Greek letters
     mathStyle: 'TeX', // one of TeX, ISO, French, or upright
     formatError: (jax: TeX<any, any, any>, err: TexError) =>

ts/input/tex/base/BaseItems.ts

@@ -1017,6 +1017,11 @@ export class ArrayItem extends BaseItem {
     table: '',
   };
 
+  /**
+   * Substitution count for template substitutions (to avoid infinite loops)
+   */
+  public templateSubs: number = 0;
+
   /**
    * The TeX parser that created this item
    */
@@ -1208,6 +1213,18 @@ export class ArrayItem extends BaseItem {
       if (ralign) {
         entry = '\\text{' + entry.trim() + '}';
       }
+      if (start || end || ralign) {
+        if (
+          ++this.templateSubs >
+          parser.configuration.options.maxTemplateSubtitutions
+        ) {
+          throw new TexError(
+            'MaxTemplateSubs',
+            'Maximum template substitutions exceeded; ' +
+              'is there an invalid use of \\\\ in the template?'
+          );
+        }
+      }
     }
     //
     //  Add any \hline or \hfill macros