diff options
author | Ryan Harrison <rharrison@chromium.org> | 2018-08-08 15:04:26 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-08 15:04:26 +0000 |
commit | 6d9897b103aef10b369eb999a40c22011a8ae4f5 (patch) | |
tree | 5810fcece4c8e37c902a6e9ee17c9d158ccd88ec | |
parent | f90277e7f4bd99bba419b53341c6c7bdca478eed (diff) | |
download | pdfium-chromium/3517.tar.xz |
Limit size of expression list in FormCalc parserchromium/3517
Limits the number of elements that can be added to the expressions
list in the FormCalc parser. This handles cases like long strings of !
repeated, since ! is a valid identifier and identifiers are valid
expression, even though it will be no-op. This is another case of
something that is valid, but stupid.
BUG=chromium:870385
Change-Id: I8e34ce00bcbe4499e0a45bd5dc38541793144481
Reviewed-on: https://pdfium-review.googlesource.com/39630
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
-rw-r--r-- | xfa/fxfa/fm2js/cxfa_fmparser.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp index be0a31b519..0857573cdf 100644 --- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp +++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp @@ -17,6 +17,7 @@ namespace { constexpr unsigned int kMaxParseDepth = 1250; constexpr unsigned int kMaxPostExpressions = 256; +constexpr unsigned int kMaxExpressionListSize = 10000; } // namespace @@ -91,6 +92,12 @@ CXFA_FMParser::ParseExpressionList() { m_error = true; return std::vector<std::unique_ptr<CXFA_FMExpression>>(); } + + if (expressions.size() >= kMaxExpressionListSize) { + m_error = true; + return std::vector<std::unique_ptr<CXFA_FMExpression>>(); + } + expressions.push_back(std::move(expr)); } return expressions; |