summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenrique Nakashima <hnakashima@chromium.org>2018-07-17 20:47:27 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-07-17 20:47:27 +0000
commit3d7b555aa843b026c9dcb6b0f855af1d358ef2ba (patch)
tree66a3e9b7bfe0d640ac70a5af1a4401c64d242ab2
parentd563855ac72ba9dcec7f111587d6efaafc715b0d (diff)
downloadpdfium-3d7b555aa843b026c9dcb6b0f855af1d358ef2ba.tar.xz
Limit recursion depth for CXFA_DocumentParser::NormalLoader().
Bug: chromium:849143 Change-Id: I973bb3be6151ac3afad850533cb735c03e9f3d2c Reviewed-on: https://pdfium-review.googlesource.com/38210 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
-rw-r--r--xfa/fxfa/parser/cxfa_document_parser.cpp7
-rw-r--r--xfa/fxfa/parser/cxfa_document_parser.h1
2 files changed, 8 insertions, 0 deletions
diff --git a/xfa/fxfa/parser/cxfa_document_parser.cpp b/xfa/fxfa/parser/cxfa_document_parser.cpp
index 599662a160..8e5ff9fbde 100644
--- a/xfa/fxfa/parser/cxfa_document_parser.cpp
+++ b/xfa/fxfa/parser/cxfa_document_parser.cpp
@@ -9,6 +9,7 @@
#include <utility>
#include <vector>
+#include "core/fxcrt/autorestorer.h"
#include "core/fxcrt/cfx_memorystream.h"
#include "core/fxcrt/cfx_widetextbuf.h"
#include "core/fxcrt/fx_codepage.h"
@@ -768,6 +769,12 @@ CXFA_Node* CXFA_DocumentParser::NormalLoader(CXFA_Node* pXFANode,
CFX_XMLNode* pXMLDoc,
XFA_PacketType ePacketID,
bool bUseAttribute) {
+ constexpr const unsigned long kMaxExecuteRecursion = 1000;
+ if (m_ExecuteRecursionDepth > kMaxExecuteRecursion)
+ return nullptr;
+ AutoRestorer<unsigned long> restorer(&m_ExecuteRecursionDepth);
+ ++m_ExecuteRecursionDepth;
+
bool bOneOfPropertyFound = false;
for (CFX_XMLNode* pXMLChild = pXMLDoc->GetFirstChild(); pXMLChild;
pXMLChild = pXMLChild->GetNextSibling()) {
diff --git a/xfa/fxfa/parser/cxfa_document_parser.h b/xfa/fxfa/parser/cxfa_document_parser.h
index 04ed5abb15..4e75db935a 100644
--- a/xfa/fxfa/parser/cxfa_document_parser.h
+++ b/xfa/fxfa/parser/cxfa_document_parser.h
@@ -75,6 +75,7 @@ class CXFA_DocumentParser {
std::unique_ptr<CFX_XMLDocument> xml_doc_;
// TODO(dsinclair): Figure out who owns this.
CXFA_Node* m_pRootNode = nullptr;
+ unsigned long m_ExecuteRecursionDepth = 0;
};
#endif // XFA_FXFA_PARSER_CXFA_DOCUMENT_PARSER_H_