diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2018-07-17 20:47:27 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-17 20:47:27 +0000 |
commit | 3d7b555aa843b026c9dcb6b0f855af1d358ef2ba (patch) | |
tree | 66a3e9b7bfe0d640ac70a5af1a4401c64d242ab2 | |
parent | d563855ac72ba9dcec7f111587d6efaafc715b0d (diff) | |
download | pdfium-3d7b555aa843b026c9dcb6b0f855af1d358ef2ba.tar.xz |
Limit recursion depth for CXFA_DocumentParser::NormalLoader().
Bug: chromium:849143
Change-Id: I973bb3be6151ac3afad850533cb735c03e9f3d2c
Reviewed-on: https://pdfium-review.googlesource.com/38210
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
-rw-r--r-- | xfa/fxfa/parser/cxfa_document_parser.cpp | 7 | ||||
-rw-r--r-- | xfa/fxfa/parser/cxfa_document_parser.h | 1 |
2 files changed, 8 insertions, 0 deletions
diff --git a/xfa/fxfa/parser/cxfa_document_parser.cpp b/xfa/fxfa/parser/cxfa_document_parser.cpp index 599662a160..8e5ff9fbde 100644 --- a/xfa/fxfa/parser/cxfa_document_parser.cpp +++ b/xfa/fxfa/parser/cxfa_document_parser.cpp @@ -9,6 +9,7 @@ #include <utility> #include <vector> +#include "core/fxcrt/autorestorer.h" #include "core/fxcrt/cfx_memorystream.h" #include "core/fxcrt/cfx_widetextbuf.h" #include "core/fxcrt/fx_codepage.h" @@ -768,6 +769,12 @@ CXFA_Node* CXFA_DocumentParser::NormalLoader(CXFA_Node* pXFANode, CFX_XMLNode* pXMLDoc, XFA_PacketType ePacketID, bool bUseAttribute) { + constexpr const unsigned long kMaxExecuteRecursion = 1000; + if (m_ExecuteRecursionDepth > kMaxExecuteRecursion) + return nullptr; + AutoRestorer<unsigned long> restorer(&m_ExecuteRecursionDepth); + ++m_ExecuteRecursionDepth; + bool bOneOfPropertyFound = false; for (CFX_XMLNode* pXMLChild = pXMLDoc->GetFirstChild(); pXMLChild; pXMLChild = pXMLChild->GetNextSibling()) { diff --git a/xfa/fxfa/parser/cxfa_document_parser.h b/xfa/fxfa/parser/cxfa_document_parser.h index 04ed5abb15..4e75db935a 100644 --- a/xfa/fxfa/parser/cxfa_document_parser.h +++ b/xfa/fxfa/parser/cxfa_document_parser.h @@ -75,6 +75,7 @@ class CXFA_DocumentParser { std::unique_ptr<CFX_XMLDocument> xml_doc_; // TODO(dsinclair): Figure out who owns this. CXFA_Node* m_pRootNode = nullptr; + unsigned long m_ExecuteRecursionDepth = 0; }; #endif // XFA_FXFA_PARSER_CXFA_DOCUMENT_PARSER_H_ |