From 04cf06beb40cf3a1df5bc6b834db33e1e356a2ba Mon Sep 17 00:00:00 2001
From: Guillaume Gomez <guillaume1.gomez@gmail.com>
Date: Thu, 16 Oct 2025 21:59:25 +0200
Subject: [PATCH] Limit maximum number of references in generics to prevent
 `syn` stack overflow

---
 askama_parser/src/expr.rs                        |   4 ++++
 ...zz-testcase-minimized-derive-6696196543676416 | Bin 0 -> 1728 bytes
 testing/tests/ui/references.rs                   |   7 +++++++
 testing/tests/ui/references.stderr               |   7 +++++++
 4 files changed, 18 insertions(+)
 create mode 100644 fuzzing/fuzz/artifacts/derive/clusterfuzz-testcase-minimized-derive-6696196543676416
 create mode 100644 testing/tests/ui/references.rs
 create mode 100644 testing/tests/ui/references.stderr

diff --git a/askama_parser/src/expr.rs b/askama_parser/src/expr.rs
index 50e719b2..8ad4d20f 100644
--- a/askama_parser/src/expr.rs
+++ b/askama_parser/src/expr.rs
@@ -1289,6 +1289,10 @@ impl<'a: 'l, 'l> TyGenerics<'a> {
 
         let p = ws((repeat(0.., ws('&')), path, opt(Self::args)));
         let ((refs, path, args), span) = p.with_span().parse_next(i)?;
+        let max_refs = 20;
+        if refs > max_refs {
+            return cut_error!(format!("too many references (> {max_refs})"), span);
+        }
 
         if let [name] = path.as_slice() {
             if matches!(**name, "super" | "self" | "crate") {
diff --git a/fuzzing/fuzz/artifacts/derive/clusterfuzz-testcase-minimized-derive-6696196543676416 b/fuzzing/fuzz/artifacts/derive/clusterfuzz-testcase-minimized-derive-6696196543676416
new file mode 100644
index 0000000000000000000000000000000000000000..3b571591ba1c2f7cd2f188c9471efe8915fb8912
GIT binary patch
literal 1728
zcmezW|1_Ufc}8YVYLRkvwHFtcm6eSeH2@Da3>h#pNOC<%imC1;l58hQG1Z+)oPi{{
zktD^$*-ySIk{m;lV)ETYRh=ZcnIy$jb*36gR+FTdy6z-o8c9wgNiiXtvB;BeK9M?8
w^K^2#?6_)cYgHL)*K{A9_iEzAmw9=41!)kRnYN}cv-{}%nG?&LA;7~K0KHujo&W#<

literal 0
HcmV?d00001

diff --git a/testing/tests/ui/references.rs b/testing/tests/ui/references.rs
new file mode 100644
index 00000000..f0a2909f
--- /dev/null
+++ b/testing/tests/ui/references.rs
@@ -0,0 +1,7 @@
+use askama::Template;
+
+#[derive(Template)]
+#[template(source = "{{J::<&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&e>()}}", ext = "html")]
+struct X;
+
+fn main() {}
diff --git a/testing/tests/ui/references.stderr b/testing/tests/ui/references.stderr
new file mode 100644
index 00000000..b30e182a
--- /dev/null
+++ b/testing/tests/ui/references.stderr
@@ -0,0 +1,7 @@
+error: too many references (> 20)
+ --> <source attribute>:1:6
+       "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&e>()}}"
+ --> tests/ui/references.rs:4:21
+  |
+4 | #[template(source = "{{J::<&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&e>()}}", ext = "html")]
+  |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^