From 9c551448cbfb0627abd2fdd332f511dbe2de4201 Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Tue, 5 Jul 2022 14:33:55 +0200
Subject: [PATCH] server: Prevent infinite symlink recursion in
 lookup_named_object().

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 server/object.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/server/object.c b/server/object.c
index 5bb999d1fc7..333f9e7b5d6 100644
--- a/server/object.c
+++ b/server/object.c
@@ -233,6 +233,7 @@ static void free_object( struct object *obj )
 struct object *lookup_named_object( struct object *root, const struct unicode_str *name,
                                     unsigned int attr, struct unicode_str *name_left )
 {
+    static int recursion_count;
     struct object *obj, *parent;
     struct unicode_str name_tmp = *name, *ptr = &name_tmp;
 
@@ -261,6 +262,13 @@ struct object *lookup_named_object( struct object *root, const struct unicode_st
 
     if (!name_tmp.len) ptr = NULL;  /* special case for empty path */
 
+    if (recursion_count > 32)
+    {
+        set_error( STATUS_INVALID_PARAMETER );
+        release_object( parent );
+        return NULL;
+    }
+    recursion_count++;
     clear_error();
 
     while ((obj = parent->ops->lookup_name( parent, ptr, attr, root )))
@@ -269,6 +277,8 @@ struct object *lookup_named_object( struct object *root, const struct unicode_st
         release_object ( parent );
         parent = obj;
     }
+
+    recursion_count--;
     if (get_error())
     {
         release_object( parent );