diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2018-02-15 15:09:45 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-02-15 15:09:45 +0000 |
commit | 46f79aaad8330857e58cfd3928fdf91678112ae0 (patch) | |
tree | af3942be6aaf45858a0faf598e97c0d44afe5003 | |
parent | c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f (diff) | |
download | pdfium-46f79aaad8330857e58cfd3928fdf91678112ae0.tar.xz |
Add limit to number of formcalc expressions
Currently it's possible to create a formcalc script which creates a
large number of expressions. This will eventually cause stack exhaustion
as we try to allocate the needed expression objects.
This CL limits the number of parsed expressions in the PostExpression
section in order to keep from failing due to stack overflow.
Bug: chromium:799721
Change-Id: I69fca35db7f75ef97aec21c22fc06d926dfe2df6
Reviewed-on: https://pdfium-review.googlesource.com/26870
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
-rw-r--r-- | xfa/fxfa/fm2js/cxfa_fmparser.cpp | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp index 644fdf2a82..e634f97013 100644 --- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp +++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp @@ -15,8 +15,9 @@ namespace { -const unsigned int kMaxAssignmentChainLength = 12; -const unsigned int kMaxParseDepth = 1250; +constexpr unsigned int kMaxAssignmentChainLength = 12; +constexpr unsigned int kMaxParseDepth = 1250; +constexpr unsigned int kMaxPostExpressions = 16384; } // namespace @@ -669,7 +670,15 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParsePostExpression( return nullptr; uint32_t line = m_token->m_line_num; + size_t expr_count = 0; while (1) { + ++expr_count; + // Limit the number of expressions allowed in the post expression statement. + // If we don't do this then its possible to generate a stack overflow + // by having a very large number of things like .. expressions. + if (expr_count > kMaxPostExpressions) + return nullptr; + switch (m_token->m_type) { case TOKlparen: { if (!NextToken()) |