diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-02-03 16:18:19 -0800 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-02-03 16:18:19 -0800 |
commit | 0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be (patch) | |
tree | 77a8806b3413135a838908215b71fac484a7f3dd | |
parent | 615082de70c7fc18d46d0d1a03b62d0d76b1daa9 (diff) | |
download | pdfium-0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be.tar.xz |
Fix stack exhaustion in CPDF_DataAvail::HaveResourceAncestor()
BUG=https://code.google.com/p/pdfium/issues/detail?id=113
R=thestig@chromium.org
Review URL: https://codereview.chromium.org/880043004
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 14 | ||||
-rw-r--r-- | fpdfsdk/src/fpdfview_embeddertest.cpp | 8 | ||||
-rw-r--r-- | testing/resources/bug_113.in | 29 | ||||
-rw-r--r-- | testing/resources/bug_113.pdf | 38 |
4 files changed, 85 insertions, 4 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 29265f407f..4b80895d61 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -2743,7 +2743,11 @@ public: } virtual void GetLinearizedMainXRefInfo(FX_FILESIZE *pPos, FX_DWORD *pSize) FX_OVERRIDE; + protected: + static const int kMaxDataAvailRecursionDepth = 64; + static int s_CurrentDataAvailRecursionDepth; + FX_DWORD GetObjectSize(FX_DWORD objnum, FX_FILESIZE& offset); FX_BOOL IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePage, IFX_DownloadHints* pHints, CFX_PtrArray &ret_array); FX_BOOL CheckDocStatus(IFX_DownloadHints *pHints); @@ -2919,6 +2923,9 @@ IPDF_DataAvail* IPDF_DataAvail::Create(IFX_FileAvail* pFileAvail, IFX_FileRead* return FX_NEW CPDF_DataAvail(pFileAvail, pFileRead); } +// static +int CPDF_DataAvail::s_CurrentDataAvailRecursionDepth = 0; + CPDF_DataAvail::CPDF_DataAvail(IFX_FileAvail* pFileAvail, IFX_FileRead* pFileRead) : IPDF_DataAvail(pFileAvail, pFileRead) { @@ -4395,6 +4402,10 @@ FX_BOOL CPDF_DataAvail::CheckLinearizedFirstPage(FX_INT32 iPage, IFX_DownloadHin } FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict) { + CFX_AutoRestorer<int> restorer(&s_CurrentDataAvailRecursionDepth); + if (++s_CurrentDataAvailRecursionDepth > kMaxDataAvailRecursionDepth) { + return FALSE; + } CPDF_Object *pParent = pDict->GetElement("Parent"); if (!pParent) { return FALSE; @@ -4407,9 +4418,8 @@ FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict) if (pRet) { m_pPageResource = pRet; return TRUE; - } else { - return HaveResourceAncestor(pParentDict); } + return HaveResourceAncestor(pParentDict); } FX_BOOL CPDF_DataAvail::IsPageAvail(FX_INT32 iPage, IFX_DownloadHints* pHints) { diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp index f9b611bbf6..04549741ec 100644 --- a/fpdfsdk/src/fpdfview_embeddertest.cpp +++ b/fpdfsdk/src/fpdfview_embeddertest.cpp @@ -177,11 +177,15 @@ TEST_F(FPDFViewEmbeddertest, NamedDestsByName) { } // The following tests pass if the document opens without crashing. -TEST_F(FPDFViewEmbeddertest, Crasher1) { +TEST_F(FPDFViewEmbeddertest, Crasher_113) { + EXPECT_TRUE(OpenDocument("testing/resources/bug_113.pdf")); +} + +TEST_F(FPDFViewEmbeddertest, Crasher_451830) { EXPECT_TRUE(OpenDocument("testing/resources/bug_451830.pdf")); } -TEST_F(FPDFViewEmbeddertest, Crasher2) { +TEST_F(FPDFViewEmbeddertest, Crasher_452455) { EXPECT_TRUE(OpenDocument("testing/resources/bug_452455.pdf")); FPDF_PAGE page = LoadPage(0); EXPECT_NE(nullptr, page); diff --git a/testing/resources/bug_113.in b/testing/resources/bug_113.in new file mode 100644 index 0000000000..5fc6e71744 --- /dev/null +++ b/testing/resources/bug_113.in @@ -0,0 +1,29 @@ +{{header}} +{{object 3 0}} << + /Pages 5 0 R +>> +endobj +{{object 4 0}} << +/Type /Page +/Parent 5 0 R +/Resources << +/Font <<xt +endobj +% partial object +{{object 5 0}} << + /Type /Page + /Parent 5 0 R + /bork << +endobj +% duplicate definition of partial object +{{object 5 0}} << + /Kids [4 0 R] + /bork 1P + /MediaBox [ 0 +endobj +{{xref}} +trailer << + /Root 3 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/bug_113.pdf b/testing/resources/bug_113.pdf new file mode 100644 index 0000000000..0a524c1b8e --- /dev/null +++ b/testing/resources/bug_113.pdf @@ -0,0 +1,38 @@ +%PDF-1.7 +% ò¤ô +3 0 obj << + /Pages 5 0 R +>> +endobj +4 0 obj << +/Type /Page +/Parent 5 0 R +/Resources << +/Font <<xt +endobj +% partial object +5 0 obj << + /Type /Page + /Parent 5 0 R + /bork << +endobj +% duplicate definition of partial object +5 0 obj << + /Kids [4 0 R] + /bork 1P + /MediaBox [ 0 +endobj +xref +0 6 +0000000000 65536 f +0000000000 65536 f +0000000000 65536 f +0000000015 00000 n +0000000051 00000 n +0000000237 00000 n +trailer << + /Root 3 0 R +>> +startxref +298 +%%EOF |