Fix stack exhaustion in CPDF_DataAvail::HaveResourceAncestor()

BUG=https://code.google.com/p/pdfium/issues/detail?id=113 R=thestig@chromium.org Review URL: https://codereview.chromium.org/880043004
author: Tom Sepez <tsepez@chromium.org> 2015-02-03 16:18:19 -0800
committer: Tom Sepez <tsepez@chromium.org> 2015-02-03 16:18:19 -0800
commit: 0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be (patch)
tree: 77a8806b3413135a838908215b71fac484a7f3dd
parent: 615082de70c7fc18d46d0d1a03b62d0d76b1daa9 (diff)
download: pdfium-0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be.tar.xz
4 files changed, 85 insertions, 4 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 29265f407f..4b80895d61 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2743,7 +2743,11 @@ public:
     }
 
     virtual void                        GetLinearizedMainXRefInfo(FX_FILESIZE *pPos, FX_DWORD *pSize)  FX_OVERRIDE;
+
 protected:
+    static const int kMaxDataAvailRecursionDepth = 64;
+    static int s_CurrentDataAvailRecursionDepth;
+
     FX_DWORD                            GetObjectSize(FX_DWORD objnum, FX_FILESIZE& offset);
     FX_BOOL                             IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePage, IFX_DownloadHints* pHints, CFX_PtrArray &ret_array);
     FX_BOOL                             CheckDocStatus(IFX_DownloadHints *pHints);
@@ -2919,6 +2923,9 @@ IPDF_DataAvail* IPDF_DataAvail::Create(IFX_FileAvail* pFileAvail, IFX_FileRead*
   return FX_NEW CPDF_DataAvail(pFileAvail, pFileRead);
 }
 
+// static
+int CPDF_DataAvail::s_CurrentDataAvailRecursionDepth = 0;
+
 CPDF_DataAvail::CPDF_DataAvail(IFX_FileAvail* pFileAvail, IFX_FileRead* pFileRead)
     : IPDF_DataAvail(pFileAvail, pFileRead)
 {
@@ -4395,6 +4402,10 @@ FX_BOOL CPDF_DataAvail::CheckLinearizedFirstPage(FX_INT32 iPage, IFX_DownloadHin
 }
 FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict)
 {
+    CFX_AutoRestorer<int> restorer(&s_CurrentDataAvailRecursionDepth);
+    if (++s_CurrentDataAvailRecursionDepth > kMaxDataAvailRecursionDepth) {
+        return FALSE;
+    }
     CPDF_Object *pParent = pDict->GetElement("Parent");
     if (!pParent) {
         return FALSE;
@@ -4407,9 +4418,8 @@ FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict)
     if (pRet) {
         m_pPageResource = pRet;
         return TRUE;
-    } else {
-        return HaveResourceAncestor(pParentDict);
     }
+    return HaveResourceAncestor(pParentDict);
 }
 FX_BOOL CPDF_DataAvail::IsPageAvail(FX_INT32 iPage, IFX_DownloadHints* pHints)
 {
diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp
index f9b611bbf6..04549741ec 100644
--- a/fpdfsdk/src/fpdfview_embeddertest.cpp
+++ b/fpdfsdk/src/fpdfview_embeddertest.cpp
@@ -177,11 +177,15 @@ TEST_F(FPDFViewEmbeddertest, NamedDestsByName) {
 }
 
 // The following tests pass if the document opens without crashing.
-TEST_F(FPDFViewEmbeddertest, Crasher1) {
+TEST_F(FPDFViewEmbeddertest, Crasher_113) {
+  EXPECT_TRUE(OpenDocument("testing/resources/bug_113.pdf"));
+}
+
+TEST_F(FPDFViewEmbeddertest, Crasher_451830) {
   EXPECT_TRUE(OpenDocument("testing/resources/bug_451830.pdf"));
 }
 
-TEST_F(FPDFViewEmbeddertest, Crasher2) {
+TEST_F(FPDFViewEmbeddertest, Crasher_452455) {
   EXPECT_TRUE(OpenDocument("testing/resources/bug_452455.pdf"));
   FPDF_PAGE page = LoadPage(0);
   EXPECT_NE(nullptr, page);
diff --git a/testing/resources/bug_113.in b/testing/resources/bug_113.in
new file mode 100644
index 0000000000..5fc6e71744
--- /dev/null
+++ b/testing/resources/bug_113.in
@@ -0,0 +1,29 @@
+{{header}}
+{{object 3 0}} <<
+  /Pages 5 0 R
+>>
+endobj
+{{object 4 0}} <<
+/Type /Page
+/Parent 5 0 R
+/Resources <<
+/Font <<xt
+endobj
+% partial object
+{{object 5 0}} <<
+  /Type /Page
+  /Parent 5 0 R
+  /bork <<
+endobj
+% duplicate definition of partial object
+{{object 5 0}} <<
+  /Kids [4 0 R]
+  /bork 1P
+  /MediaBox [ 0
+endobj
+{{xref}}
+trailer <<
+  /Root 3 0 R
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/bug_113.pdf b/testing/resources/bug_113.pdf
new file mode 100644
index 0000000000..0a524c1b8e
--- /dev/null
+++ b/testing/resources/bug_113.pdf
@@ -0,0 +1,38 @@
+%PDF-1.7
+%���
+3 0 obj <<
+  /Pages 5 0 R
+>>
+endobj
+4 0 obj <<
+/Type /Page
+/Parent 5 0 R
+/Resources <<
+/Font <<xt
+endobj
+% partial object
+5 0 obj <<
+  /Type /Page
+  /Parent 5 0 R
+  /bork <<
+endobj
+% duplicate definition of partial object
+5 0 obj <<
+  /Kids [4 0 R]
+  /bork 1P
+  /MediaBox [ 0
+endobj
+xref
+0 6
+0000000000 65536 f
+0000000000 65536 f
+0000000000 65536 f
+0000000015 00000 n
+0000000051 00000 n
+0000000237 00000 n
+trailer <<
+  /Root 3 0 R
+>>
+startxref
+298
+%%EOF
author	Tom Sepez <tsepez@chromium.org>	2015-02-03 16:18:19 -0800
committer	Tom Sepez <tsepez@chromium.org>	2015-02-03 16:18:19 -0800
commit	0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be (patch)
tree	77a8806b3413135a838908215b71fac484a7f3dd
parent	615082de70c7fc18d46d0d1a03b62d0d76b1daa9 (diff)
download	pdfium-0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be.tar.xz