Merge to XFA: Fix an infinite loop parsing in CPDF_SyntaxParser::GetObject()

CPDF_SyntaxParser::GetObject() may enter into an infinite loop when a signature dictionary doesn't have 'Contents' field. Add a check to avoid that. BUG=pdfium:344 TBR=thestig@chromium.org Review URL: https://codereview.chromium.org/1575833004 . (cherry picked from commit d3ab0f383f6736657480a8bb418c5e715a1aed3b) Review URL: https://codereview.chromium.org/1571333004 .
author: Wei Li <weili@chromium.org> 2016-01-11 14:16:10 -0800
committer: Wei Li <weili@chromium.org> 2016-01-11 14:16:10 -0800
commit: f2b300af96e05bb372664752a64f6ab506820a12 (patch)
tree: 861da2db3fc42ad79876aa93a8c9d763fd3c262f
parent: 884a7d3b64d220e95548492e28549615a7f86827 (diff)
download: pdfium-f2b300af96e05bb372664752a64f6ab506820a12.tar.xz
3 files changed, 19 insertions, 3 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 3ab4423172..49d6760c65 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2163,12 +2163,13 @@ CPDF_Object* CPDF_SyntaxParser::GetObject(CPDF_IndirectObjects* pObjList,
       pDict->SetAt(keyNoSlash, pObj);
     }
 
-    if (IsSignatureDict(pDict.get())) {
-      FX_FILESIZE dwSavePos = m_Pos;
+    // Only when this is a signature dictionary and has contents, we reset the
+    // contents to the un-decrypted form.
+    if (IsSignatureDict(pDict.get()) && dwSignValuePos) {
+      CFX_AutoRestorer<FX_FILESIZE> save_pos(&m_Pos);
       m_Pos = dwSignValuePos;
       CPDF_Object* pObj = GetObject(pObjList, objnum, gennum, nullptr, FALSE);
       pDict->SetAt("Contents", pObj);
-      m_Pos = dwSavePos;
     }
     if (pContext) {
       pContext->m_DictEnd = m_Pos;
diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp
index 6a6d076983..3147c01660 100644
--- a/fpdfsdk/src/fpdfview_embeddertest.cpp
+++ b/fpdfsdk/src/fpdfview_embeddertest.cpp
@@ -221,4 +221,10 @@ TEST_F(FPDFViewEmbeddertest, CrossRefV4Loop) {
 // cause infinite loop.
 TEST_F(FPDFViewEmbeddertest, Hang_343) {
   EXPECT_FALSE(OpenDocument("bug_343.pdf"));
+}
+
+// The test should pass when the absence of 'Contents' field in a signature
+// dictionary will not cause an infinite loop in CPDF_SyntaxParser::GetObject().
+TEST_F(FPDFViewEmbeddertest, Hang_344) {
+  EXPECT_FALSE(OpenDocument("bug_344.pdf"));
 }
 \ No newline at end of file
diff --git a/testing/resources/bug_344.pdf b/testing/resources/bug_344.pdf
new file mode 100644
index 0000000000..c015c66791
--- /dev/null
+++ b/testing/resources/bug_344.pdf
@@ -0,0 +1,9 @@
+'%PDF-1.6
+%����
+<<0 0 objParams%PDF-2.4
+trailer%
+<<Subtype:XM/Length 308/Type/Sig[/Me�ada'%PDF-1.6
+%����
+<<0 0 objParams%PDF-1.4
+trailer%
+<<Subtype:XM/Length 308/Type/Sig[/Me�adata>>ta>>%%sPsP
+\ No newline at end of file
author	Wei Li <weili@chromium.org>	2016-01-11 14:16:10 -0800
committer	Wei Li <weili@chromium.org>	2016-01-11 14:16:10 -0800
commit	f2b300af96e05bb372664752a64f6ab506820a12 (patch)
tree	861da2db3fc42ad79876aa93a8c9d763fd3c262f
parent	884a7d3b64d220e95548492e28549615a7f86827 (diff)
download	pdfium-f2b300af96e05bb372664752a64f6ab506820a12.tar.xz