diff options
author | Ryan Harrison <rharrison@chromium.org> | 2018-08-03 19:45:26 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-03 19:45:26 +0000 |
commit | e819c2057ffdea90fef40d5801aec22ecd8571cd (patch) | |
tree | 778870a39298b26d70de17bfcc3c2a76202601fb | |
parent | 2958a8faf500b9c01ca968ee46fe89795eafe2a7 (diff) | |
download | pdfium-e819c2057ffdea90fef40d5801aec22ecd8571cd.tar.xz |
Make CFX_XMLParser less permissive
Currently the parser will accept arbitrary garbage before the first
element begins. This is causing issues with ClusterFuzz since it
generates a lot of trash inputs which take a long time to parse
inspite of being invalid.
This CL adds in a check of how deep the parse is when dealing with
text, and if it is at the top level scope, then only accept the
beginning of the root node.
BUG=chromium:863098
Change-Id: Ie45114ecf488f7e8a68a120d153033c7089d5cdc
Reviewed-on: https://pdfium-review.googlesource.com/39470
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
-rw-r--r-- | core/fxcrt/xml/cfx_xmlparser.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/core/fxcrt/xml/cfx_xmlparser.cpp b/core/fxcrt/xml/cfx_xmlparser.cpp index 094daac889..115b3e7e92 100644 --- a/core/fxcrt/xml/cfx_xmlparser.cpp +++ b/core/fxcrt/xml/cfx_xmlparser.cpp @@ -92,7 +92,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) { FX_SAFE_SIZE_T alloc_size_safe = m_iXMLPlaneSize; alloc_size_safe += 1; // For NUL. - if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0) + if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0 || + m_iXMLPlaneSize <= 0) return false; std::vector<wchar_t> buffer; @@ -133,6 +134,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) { current_parser_state = FDE_XmlSyntaxState::Node; } } else { + if (node_type_stack.size() <= 0 && ch && !FXSYS_iswspace(ch)) + return false; ProcessTextChar(ch); current_buffer_idx++; } |