Fix stack overflow in CFieldTree::Node::GetFieldInternal().

Limit recursion depth, just like in CountFieldsInternal().

BUG=chromium:716523

Change-Id: I70c052347a1d8fb9a4dbc065a1c9af55c02818f2
Reviewed-on: https://pdfium-review.googlesource.com/4612
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

1 files changed, 7 insertions, 3 deletions

diff --git a/core/fpdfdoc/cpdf_interform.cpp b/core/fpdfdoc/cpdf_interform.cpp
index f498617b27..5fbb3957ab 100644
--- a/core/fpdfdoc/cpdf_interform.cpp
+++ b/core/fpdfdoc/cpdf_interform.cpp
@@ -408,7 +408,7 @@ class CFieldTree {
 
     CPDF_FormField* GetFieldAtIndex(size_t index) {
       size_t nFieldsToGo = index;
-      return GetFieldInternal(&nFieldsToGo);
+      return GetFieldInternal(&nFieldsToGo, 0);
     }
 
     size_t CountFields() const { return CountFieldsInternal(0); }
@@ -422,7 +422,10 @@ class CFieldTree {
     const CFX_WideString& GetShortName() const { return m_ShortName; }
 
    private:
-    CPDF_FormField* GetFieldInternal(size_t* pFieldsToGo) {
+    CPDF_FormField* GetFieldInternal(size_t* pFieldsToGo, int nLevel) {
+      if (nLevel > nMaxRecursion)
+        return nullptr;
+
       if (m_pField) {
         if (*pFieldsToGo == 0)
           return m_pField.get();
@@ -430,7 +433,8 @@ class CFieldTree {
         --*pFieldsToGo;
       }
       for (size_t i = 0; i < GetChildrenCount(); ++i) {
-        CPDF_FormField* pField = GetChildAt(i)->GetFieldInternal(pFieldsToGo);
+        CPDF_FormField* pField =
+            GetChildAt(i)->GetFieldInternal(pFieldsToGo, nLevel + 1);
         if (pField)
           return pField;
       }