Fix stack exhaustion in CPDF_PSProc::Parse()

BUG=648059

Review-Url: https://codereview.chromium.org/2350013003

2 files changed, 9 insertions, 4 deletions

diff --git a/core/fpdfapi/fpdf_page/cpdf_psengine.h b/core/fpdfapi/fpdf_page/cpdf_psengine.h
index fc8badbe6d..c154eb8ac8 100644
--- a/core/fpdfapi/fpdf_page/cpdf_psengine.h
+++ b/core/fpdfapi/fpdf_page/cpdf_psengine.h
@@ -70,10 +70,11 @@ class CPDF_PSProc {
   CPDF_PSProc();
   ~CPDF_PSProc();
 
-  FX_BOOL Parse(CPDF_SimpleParser* parser);
+  FX_BOOL Parse(CPDF_SimpleParser* parser, int depth);
   FX_BOOL Execute(CPDF_PSEngine* pEngine);
 
  private:
+  static const int kMaxDepth = 128;
   std::vector<std::unique_ptr<CPDF_PSOP>> m_Operators;
 };
 
diff --git a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp
index 63ab3056c7..266b2bd09f 100644
--- a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp
+++ b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp
@@ -139,9 +139,13 @@ FX_BOOL CPDF_PSEngine::Parse(const FX_CHAR* str, int size) {
   if (word != "{") {
     return FALSE;
   }
-  return m_MainProc.Parse(&parser);
+  return m_MainProc.Parse(&parser, 0);
 }
-FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) {
+
+FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser, int depth) {
+  if (depth > kMaxDepth)
+    return FALSE;
+
   while (1) {
     CFX_ByteStringC word = parser->GetWord();
     if (word.IsEmpty()) {
@@ -154,7 +158,7 @@ FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) {
       std::unique_ptr<CPDF_PSProc> proc(new CPDF_PSProc);
       std::unique_ptr<CPDF_PSOP> op(new CPDF_PSOP(std::move(proc)));
       m_Operators.push_back(std::move(op));
-      if (!m_Operators.back()->GetProc()->Parse(parser)) {
+      if (!m_Operators.back()->GetProc()->Parse(parser, depth + 1)) {
         return FALSE;
       }
     } else {