diff options
author | tsepez <tsepez@chromium.org> | 2016-09-20 05:56:50 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-20 05:56:50 -0700 |
commit | 044b1d6f4929dd8905a259c1e134f2e582726d3b (patch) | |
tree | 09f2d32ff9d80e2a8dfba562ef489417c11cfeaa | |
parent | 81e1e3fd2d33478733e47bd007b76fac1a663e74 (diff) | |
download | pdfium-044b1d6f4929dd8905a259c1e134f2e582726d3b.tar.xz |
Fix stack exhaustion in CPDF_PSProc::Parse()
BUG=648059
Review-Url: https://codereview.chromium.org/2350013003
-rw-r--r-- | core/fpdfapi/fpdf_page/cpdf_psengine.h | 3 | ||||
-rw-r--r-- | core/fpdfapi/fpdf_page/fpdf_page_func.cpp | 10 |
2 files changed, 9 insertions, 4 deletions
diff --git a/core/fpdfapi/fpdf_page/cpdf_psengine.h b/core/fpdfapi/fpdf_page/cpdf_psengine.h index fc8badbe6d..c154eb8ac8 100644 --- a/core/fpdfapi/fpdf_page/cpdf_psengine.h +++ b/core/fpdfapi/fpdf_page/cpdf_psengine.h @@ -70,10 +70,11 @@ class CPDF_PSProc { CPDF_PSProc(); ~CPDF_PSProc(); - FX_BOOL Parse(CPDF_SimpleParser* parser); + FX_BOOL Parse(CPDF_SimpleParser* parser, int depth); FX_BOOL Execute(CPDF_PSEngine* pEngine); private: + static const int kMaxDepth = 128; std::vector<std::unique_ptr<CPDF_PSOP>> m_Operators; }; diff --git a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp index 63ab3056c7..266b2bd09f 100644 --- a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp +++ b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp @@ -139,9 +139,13 @@ FX_BOOL CPDF_PSEngine::Parse(const FX_CHAR* str, int size) { if (word != "{") { return FALSE; } - return m_MainProc.Parse(&parser); + return m_MainProc.Parse(&parser, 0); } -FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) { + +FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser, int depth) { + if (depth > kMaxDepth) + return FALSE; + while (1) { CFX_ByteStringC word = parser->GetWord(); if (word.IsEmpty()) { @@ -154,7 +158,7 @@ FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) { std::unique_ptr<CPDF_PSProc> proc(new CPDF_PSProc); std::unique_ptr<CPDF_PSOP> op(new CPDF_PSOP(std::move(proc))); m_Operators.push_back(std::move(op)); - if (!m_Operators.back()->GetProc()->Parse(parser)) { + if (!m_Operators.back()->GetProc()->Parse(parser, depth + 1)) { return FALSE; } } else { |