Credit to @20210607
Summary
Svc::FpySequencer accepts and starts executing sequence files whose directives grow the runtime stack exactly to Fpy::MAX_STACK_SIZE, but its shared stack helpers reject that same boundary with hard FW_ASSERT calls. In Svc/FpySequencer/FpySequencerStack.cpp, both Stack::push() and Stack::pushZeroes() require current_size + growth < Fpy::MAX_STACK_SIZE instead of allowing an exact fit. Higher-level directive handlers, however, only reject growth when it is strictly greater than the remaining capacity. A crafted sequence can therefore pass validation and then abort the process at runtime instead of returning a handled STACK_OVERFLOW error.
Credit to @20210607
Summary
Svc::FpySequencer accepts and starts executing sequence files whose directives grow the runtime stack exactly to Fpy::MAX_STACK_SIZE, but its shared stack helpers reject that same boundary with hard FW_ASSERT calls. In Svc/FpySequencer/FpySequencerStack.cpp, both Stack::push() and Stack::pushZeroes() require current_size + growth < Fpy::MAX_STACK_SIZE instead of allowing an exact fit. Higher-level directive handlers, however, only reject growth when it is strictly greater than the remaining capacity. A crafted sequence can therefore pass validation and then abort the process at runtime instead of returning a handled STACK_OVERFLOW error.