summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Harrison <rharrison@chromium.org>2018-08-08 15:04:26 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-08 15:04:26 +0000
commit6d9897b103aef10b369eb999a40c22011a8ae4f5 (patch)
tree5810fcece4c8e37c902a6e9ee17c9d158ccd88ec
parentf90277e7f4bd99bba419b53341c6c7bdca478eed (diff)
downloadpdfium-chromium/3517.tar.xz
Limit size of expression list in FormCalc parserchromium/3517
Limits the number of elements that can be added to the expressions list in the FormCalc parser. This handles cases like long strings of ! repeated, since ! is a valid identifier and identifiers are valid expression, even though it will be no-op. This is another case of something that is valid, but stupid. BUG=chromium:870385 Change-Id: I8e34ce00bcbe4499e0a45bd5dc38541793144481 Reviewed-on: https://pdfium-review.googlesource.com/39630 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org>
-rw-r--r--xfa/fxfa/fm2js/cxfa_fmparser.cpp7
1 files changed, 7 insertions, 0 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index be0a31b519..0857573cdf 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -17,6 +17,7 @@ namespace {
constexpr unsigned int kMaxParseDepth = 1250;
constexpr unsigned int kMaxPostExpressions = 256;
+constexpr unsigned int kMaxExpressionListSize = 10000;
} // namespace
@@ -91,6 +92,12 @@ CXFA_FMParser::ParseExpressionList() {
m_error = true;
return std::vector<std::unique_ptr<CXFA_FMExpression>>();
}
+
+ if (expressions.size() >= kMaxExpressionListSize) {
+ m_error = true;
+ return std::vector<std::unique_ptr<CXFA_FMExpression>>();
+ }
+
expressions.push_back(std::move(expr));
}
return expressions;