summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2018-02-15 15:09:45 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-02-15 15:09:45 +0000
commit46f79aaad8330857e58cfd3928fdf91678112ae0 (patch)
treeaf3942be6aaf45858a0faf598e97c0d44afe5003
parentc4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f (diff)
downloadpdfium-46f79aaad8330857e58cfd3928fdf91678112ae0.tar.xz
Add limit to number of formcalc expressions
Currently it's possible to create a formcalc script which creates a large number of expressions. This will eventually cause stack exhaustion as we try to allocate the needed expression objects. This CL limits the number of parsed expressions in the PostExpression section in order to keep from failing due to stack overflow. Bug: chromium:799721 Change-Id: I69fca35db7f75ef97aec21c22fc06d926dfe2df6 Reviewed-on: https://pdfium-review.googlesource.com/26870 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
-rw-r--r--xfa/fxfa/fm2js/cxfa_fmparser.cpp13
1 files changed, 11 insertions, 2 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index 644fdf2a82..e634f97013 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -15,8 +15,9 @@
namespace {
-const unsigned int kMaxAssignmentChainLength = 12;
-const unsigned int kMaxParseDepth = 1250;
+constexpr unsigned int kMaxAssignmentChainLength = 12;
+constexpr unsigned int kMaxParseDepth = 1250;
+constexpr unsigned int kMaxPostExpressions = 16384;
} // namespace
@@ -669,7 +670,15 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParsePostExpression(
return nullptr;
uint32_t line = m_token->m_line_num;
+ size_t expr_count = 0;
while (1) {
+ ++expr_count;
+ // Limit the number of expressions allowed in the post expression statement.
+ // If we don't do this then its possible to generate a stack overflow
+ // by having a very large number of things like .. expressions.
+ if (expr_count > kMaxPostExpressions)
+ return nullptr;
+
switch (m_token->m_type) {
case TOKlparen: {
if (!NextToken())