diff options
author | Ryan Harrison <rharrison@chromium.org> | 2017-06-29 10:43:53 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-06-29 14:56:38 +0000 |
commit | 580c159e8b8b1d38454f98276a57caf1acce98e6 (patch) | |
tree | 78241a70729004a91eac15e8b795d494dab7c329 | |
parent | 1ef2f828f71e40437d82bb039dcb087c1beb7bd6 (diff) | |
download | pdfium-580c159e8b8b1d38454f98276a57caf1acce98e6.tar.xz |
Cleanup call expression handling in fm2js
Remove handling of arbitrary function calls, and only allow supported
function calls. Issues with the lexer being overly permissive led to
large blobs of javascript being dropped into the output. Specifically
driver code was assuming that anything marked as a function would just
be an identifier that could be inserted into the javascript, but the
lexer marks things like ()()() as a function, which would lead to the
following JS being inserted as an identifier.
This change is intended to be a patch for the specific issue that was
being seen from the fuzzer test, and further work will be needed to
make the lexer more strict.
BUG=724913
TEST=Ran fuzzer test case. Ran unittests,embeddertests,corpustests.
Change-Id: Ib7d9239bf6fece853bea0f4915ee4ad72d3cd290
Reviewed-on: https://pdfium-review.googlesource.com/7032
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
-rw-r--r-- | testing/xfa_js_embedder_test.cpp | 23 | ||||
-rw-r--r-- | testing/xfa_js_embedder_test.h | 4 | ||||
-rw-r--r-- | xfa/fxfa/fm2js/cxfa_fm2jscontext_embeddertest.cpp | 12 | ||||
-rw-r--r-- | xfa/fxfa/fm2js/cxfa_fmsimpleexpression.cpp | 90 | ||||
-rw-r--r-- | xfa/fxfa/fm2js/cxfa_fmsimpleexpression.h | 2 |
5 files changed, 73 insertions, 58 deletions
diff --git a/testing/xfa_js_embedder_test.cpp b/testing/xfa_js_embedder_test.cpp index 4a29872eab..e5a30f6b88 100644 --- a/testing/xfa_js_embedder_test.cpp +++ b/testing/xfa_js_embedder_test.cpp @@ -53,18 +53,27 @@ bool XFAJSEmbedderTest::OpenDocument(const std::string& filename, } bool XFAJSEmbedderTest::Execute(const CFX_ByteStringC& input) { - value_ = pdfium::MakeUnique<CFXJSE_Value>(GetIsolate()); - if (script_context_->RunScript(XFA_SCRIPTLANGTYPE_Formcalc, - CFX_WideString::FromUTF8(input).AsStringC(), - value_.get(), GetXFADocument()->GetRoot())) { + if (ExecuteHelper(input)) { return true; } CFXJSE_Value msg(GetIsolate()); value_->GetObjectPropertyByIdx(1, &msg); - EXPECT_TRUE(msg.IsString()); - fprintf(stderr, "JS: %.*s\n", input.GetLength(), input.c_str()); - fprintf(stderr, "JS ERROR: %ls\n", msg.ToWideString().c_str()); + // If the parsing of the input fails, then v8 will not run, so there will be + // no value here to print. + if (msg.IsString() && !msg.ToWideString().IsEmpty()) + fprintf(stderr, "JS ERROR: %ls\n", msg.ToWideString().c_str()); return false; } + +bool XFAJSEmbedderTest::ExecuteSilenceFailure(const CFX_ByteStringC& input) { + return ExecuteHelper(input); +} + +bool XFAJSEmbedderTest::ExecuteHelper(const CFX_ByteStringC& input) { + value_ = pdfium::MakeUnique<CFXJSE_Value>(GetIsolate()); + return script_context_->RunScript(XFA_SCRIPTLANGTYPE_Formcalc, + CFX_WideString::FromUTF8(input).AsStringC(), + value_.get(), GetXFADocument()->GetRoot()); +} diff --git a/testing/xfa_js_embedder_test.h b/testing/xfa_js_embedder_test.h index afbdb26e1a..1dc06f05e6 100644 --- a/testing/xfa_js_embedder_test.h +++ b/testing/xfa_js_embedder_test.h @@ -33,6 +33,8 @@ class XFAJSEmbedderTest : public EmbedderTest { CXFA_Document* GetXFADocument(); bool Execute(const CFX_ByteStringC& input); + bool ExecuteSilenceFailure(const CFX_ByteStringC& input); + CFXJSE_Value* GetValue() const { return value_.get(); } private: @@ -40,6 +42,8 @@ class XFAJSEmbedderTest : public EmbedderTest { std::unique_ptr<CFXJSE_Value> value_; v8::Isolate* isolate_; CXFA_ScriptContext* script_context_; + + bool ExecuteHelper(const CFX_ByteStringC& input); }; #endif // TESTING_XFA_JS_EMBEDDER_TEST_H_ diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext_embeddertest.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext_embeddertest.cpp index 7902bb7c8d..ff2e200186 100644 --- a/xfa/fxfa/fm2js/cxfa_fm2jscontext_embeddertest.cpp +++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext_embeddertest.cpp @@ -1432,3 +1432,15 @@ TEST_F(FM2JSContextEmbedderTest, Post) { TEST_F(FM2JSContextEmbedderTest, Put) { // TODO(dsinclair): Is this supported? } + +TEST_F(FM2JSContextEmbedderTest, InvalidFunctions) { + ASSERT_TRUE(OpenDocument("simple_xfa.pdf")); + + const char* const tests[] = { + "F()", "()", "()()()", "Round(2.0)()", + }; + + for (size_t i = 0; i < FX_ArraySize(tests); ++i) { + EXPECT_FALSE(ExecuteSilenceFailure(tests[i])); + } +} diff --git a/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.cpp b/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.cpp index 1305126554..7ab2e13bf9 100644 --- a/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.cpp +++ b/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.cpp @@ -6,6 +6,8 @@ #include "xfa/fxfa/fm2js/cxfa_fmsimpleexpression.h" +#include <algorithm> +#include <iostream> #include <utility> #include "core/fxcrt/fx_extension.h" @@ -25,46 +27,27 @@ const wchar_t* const gs_lpStrExpFuncName[] = { L"pfm_rt.var_filter", }; -struct XFA_FMBuildInFunc { - uint32_t m_uHash; - const wchar_t* m_buildinfunc; +const wchar_t* const g_BuiltInFuncs[] = { + L"Abs", L"Apr", L"At", L"Avg", + L"Ceil", L"Choose", L"Concat", L"Count", + L"Cterm", L"Date", L"Date2Num", L"DateFmt", + L"Decode", L"Encode", L"Eval", L"Exists", + L"Floor", L"Format", L"FV", L"Get", + L"HasValue", L"If", L"Ipmt", L"IsoDate2Num", + L"IsoTime2Num", L"Left", L"Len", L"LocalDateFmt", + L"LocalTimeFmt", L"Lower", L"Ltrim", L"Max", + L"Min", L"Mod", L"NPV", L"Num2Date", + L"Num2GMTime", L"Num2Time", L"Oneof", L"Parse", + L"Pmt", L"Post", L"PPmt", L"Put", + L"PV", L"Rate", L"Ref", L"Replace", + L"Right", L"Round", L"Rtrim", L"Space", + L"Str", L"Stuff", L"Substr", L"Sum", + L"Term", L"Time", L"Time2Num", L"TimeFmt", + L"UnitType", L"UnitValue", L"Upper", L"Uuid", + L"Within", L"WordNum", }; -const XFA_FMBuildInFunc g_BuildInFuncs[] = { - {0x0001f1f5, L"At"}, {0x00020b9c, L"FV"}, - {0x00021aef, L"If"}, {0x00023ee6, L"PV"}, - {0x04b5c9ee, L"Encode"}, {0x08e96685, L"DateFmt"}, - {0x09f99db6, L"Abs"}, {0x09f9e583, L"Apr"}, - {0x09fa043e, L"Avg"}, {0x0a9782a0, L"Get"}, - {0x0b1b09df, L"Len"}, {0x0b3543a6, L"Max"}, - {0x0b356ca4, L"Min"}, {0x0b358b60, L"Mod"}, - {0x0b4fded4, L"NPV"}, {0x0b846bf1, L"Pmt"}, - {0x0b8494f9, L"Put"}, {0x0bb8df5d, L"Ref"}, - {0x0bd37a99, L"Str"}, {0x0bd37fb5, L"Sum"}, - {0x1048469b, L"Cterm"}, {0x11e03660, L"Exists"}, - {0x126236e6, L"Post"}, {0x127c6661, L"PPmt"}, - {0x193ade3e, L"Right"}, {0x1ec8ab2c, L"Rate"}, - {0x20e476dc, L"IsoTime2Num"}, {0x23eb6816, L"TimeFmt"}, - {0x24fb17b0, L"LocalDateFmt"}, {0x28dee6e9, L"Format"}, - {0x2d0890b8, L"Term"}, {0x2d71b00f, L"Time"}, - {0x2f890fb1, L"Num2Time"}, {0x3767511d, L"Ceil"}, - {0x3ffd1941, L"LocalTimeFmt"}, {0x442f68c8, L"Round"}, - {0x46fd1128, L"Eval"}, {0x4d629440, L"Date2Num"}, - {0x4dcf25f8, L"Concat"}, {0x4e00255d, L"UnitValue"}, - {0x55a5cc29, L"Lower"}, {0x5e43e04c, L"WordNum"}, - {0x620ce6ba, L"Ipmt"}, {0x6f544d49, L"Count"}, - {0x7e241013, L"Within"}, {0x9b9a6e2b, L"IsoDate2Num"}, - {0xb2c941c2, L"UnitType"}, {0xb598a1f7, L"Uuid"}, - {0xbde9abde, L"Date"}, {0xc0010b80, L"Num2Date"}, - {0xc1f6144c, L"Upper"}, {0xc44028f7, L"Oneof"}, - {0xc62c1b2c, L"Space"}, {0xd0ff50f9, L"HasValue"}, - {0xd1537042, L"Floor"}, {0xd2ac9cf1, L"Time2Num"}, - {0xd907aee5, L"Num2GMTime"}, {0xdf24f7c4, L"Decode"}, - {0xe2664803, L"Substr"}, {0xe3e7b528, L"Stuff"}, - {0xe6792d4e, L"Rtrim"}, {0xe8c23f5b, L"Parse"}, - {0xea18d121, L"Choose"}, {0xebfef69c, L"Replace"}, - {0xf5ad782b, L"Left"}, {0xf7bb2248, L"Ltrim"}, -}; +const FX_STRSIZE g_BuiltInFuncsMaxLen = 12; struct XFA_FMSOMMethod { uint32_t m_uHash; @@ -533,17 +516,20 @@ CXFA_FMCallExpression::CXFA_FMCallExpression( CXFA_FMCallExpression::~CXFA_FMCallExpression() {} -bool CXFA_FMCallExpression::IsBuildInFunc(CFX_WideTextBuf* funcName) { - uint32_t uHash = FX_HashCode_GetW(funcName->AsStringC(), true); - const XFA_FMBuildInFunc* pEnd = g_BuildInFuncs + FX_ArraySize(g_BuildInFuncs); - const XFA_FMBuildInFunc* pFunc = - std::lower_bound(g_BuildInFuncs, pEnd, uHash, - [](const XFA_FMBuildInFunc& func, uint32_t hash) { - return func.m_uHash < hash; - }); - if (pFunc < pEnd && uHash == pFunc->m_uHash) { +bool CXFA_FMCallExpression::IsBuiltInFunc(CFX_WideTextBuf* funcName) { + if (funcName->GetLength() > g_BuiltInFuncsMaxLen) + return false; + + CFX_WideString str = funcName->MakeString(); + const wchar_t* const* pEnd = g_BuiltInFuncs + FX_ArraySize(g_BuiltInFuncs); + const wchar_t* const* pMatchResult = std::lower_bound( + g_BuiltInFuncs, pEnd, str, + [](const wchar_t* iter, const CFX_WideString& val) -> bool { + return val.CompareNoCase(iter) > 0; + }); + if (pMatchResult < pEnd && !str.CompareNoCase(*pMatchResult)) { funcName->Clear(); - *funcName << pFunc->m_buildinfunc; + *funcName << *pMatchResult; return true; } return false; @@ -618,7 +604,7 @@ bool CXFA_FMCallExpression::ToJavaScript(CFX_WideTextBuf& javascript) { } else { bool isEvalFunc = false; bool isExistsFunc = false; - if (IsBuildInFunc(&funcName)) { + if (IsBuiltInFunc(&funcName)) { if (funcName.AsStringC() == L"Eval") { isEvalFunc = true; javascript << L"eval.call(this, "; @@ -633,7 +619,11 @@ bool CXFA_FMCallExpression::ToJavaScript(CFX_WideTextBuf& javascript) { javascript << funcName; } } else { - javascript << funcName; + // If a function is not a SomMethod or a built-in then the input was + // invalid, so failing. The scanner/lexer should catch this, but currently + // doesn't. This failure will bubble up to the top-level and cause the + // transpile to fail. + return false; } javascript << L"("; if (isExistsFunc) { diff --git a/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.h b/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.h index 8cdaf35b0f..6f014297a7 100644 --- a/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.h +++ b/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.h @@ -238,7 +238,7 @@ class CXFA_FMCallExpression : public CXFA_FMUnaryExpression { bool bIsSomMethod); ~CXFA_FMCallExpression() override; - bool IsBuildInFunc(CFX_WideTextBuf* funcName); + bool IsBuiltInFunc(CFX_WideTextBuf* funcName); uint32_t IsMethodWithObjParam(const CFX_WideStringC& methodName); bool ToJavaScript(CFX_WideTextBuf& javascript) override; |