summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWei Li <weili@chromium.org>2016-01-08 14:26:18 -0800
committerWei Li <weili@chromium.org>2016-01-08 14:26:18 -0800
commit149f1db8bba85bdf2b40d330c38f2478695ca0d5 (patch)
tree1156a67f35ea8ac7e7077222fcc02b92471b23a7
parente6bd31873c3dba3f79c5ebbbefed636948629cc9 (diff)
downloadpdfium-149f1db8bba85bdf2b40d330c38f2478695ca0d5.tar.xz
Fix infinite loop caused by parsing same indirect objects
BUG=pdfium:343 R=thestig@chromium.org Review URL: https://codereview.chromium.org/1569343002 .
-rw-r--r--core/include/fpdfapi/fpdf_parser.h4
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp19
-rw-r--r--fpdfsdk/src/fpdfview_embeddertest.cpp6
-rw-r--r--testing/resources/bug_343.pdf19
4 files changed, 48 insertions, 0 deletions
diff --git a/core/include/fpdfapi/fpdf_parser.h b/core/include/fpdfapi/fpdf_parser.h
index 756850932e..e1901ebdce 100644
--- a/core/include/fpdfapi/fpdf_parser.h
+++ b/core/include/fpdfapi/fpdf_parser.h
@@ -9,6 +9,7 @@
#include <map>
#include <memory>
+#include <set>
#include "core/include/fpdfapi/fpdf_objects.h"
#include "core/include/fxcrt/fx_system.h"
@@ -536,6 +537,9 @@ class CPDF_Parser {
// streams in |m_ObjectStreamMap| are valid.
std::map<CPDF_StreamAcc*, StreamObjectCache> m_ObjCache;
+ // All indirect object numbers that are being parsed.
+ std::set<FX_DWORD> m_ParsingObjNums;
+
friend class CPDF_Creator;
friend class CPDF_DataAvail;
};
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index ad97d1f369..236ecaa837 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -36,6 +36,20 @@ struct SearchTagRecord {
FX_DWORD m_Offset;
};
+template <typename T>
+class ScopedSetInsertion {
+ public:
+ ScopedSetInsertion(std::set<T>* org_set, T elem)
+ : m_Set(org_set), m_Entry(elem) {
+ m_Set->insert(m_Entry);
+ }
+ ~ScopedSetInsertion() { m_Set->erase(m_Entry); }
+
+ private:
+ std::set<T>* const m_Set;
+ const T m_Entry;
+};
+
int CompareFileSize(const void* p1, const void* p2) {
return *(FX_FILESIZE*)p1 - *(FX_FILESIZE*)p2;
}
@@ -1193,6 +1207,11 @@ CPDF_Object* CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects* pObjList,
if (!IsValidObjectNumber(objnum))
return nullptr;
+ // Prevent circular parsing the same object.
+ if (pdfium::ContainsKey(m_ParsingObjNums, objnum))
+ return nullptr;
+ ScopedSetInsertion<FX_DWORD> local_insert(&m_ParsingObjNums, objnum);
+
if (m_V5Type[objnum] == 1 || m_V5Type[objnum] == 255) {
FX_FILESIZE pos = m_ObjectInfo[objnum].pos;
if (pos <= 0)
diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp
index 6eb5fb95cd..6a6d076983 100644
--- a/fpdfsdk/src/fpdfview_embeddertest.cpp
+++ b/fpdfsdk/src/fpdfview_embeddertest.cpp
@@ -216,3 +216,9 @@ TEST_F(FPDFViewEmbeddertest, Hang_298) {
TEST_F(FPDFViewEmbeddertest, CrossRefV4Loop) {
EXPECT_TRUE(OpenDocument("bug_xrefv4_loop.pdf"));
}
+
+// The test should pass when circular references to ParseIndirectObject will not
+// cause infinite loop.
+TEST_F(FPDFViewEmbeddertest, Hang_343) {
+ EXPECT_FALSE(OpenDocument("bug_343.pdf"));
+} \ No newline at end of file
diff --git a/testing/resources/bug_343.pdf b/testing/resources/bug_343.pdf
new file mode 100644
index 0000000000..1ad838708a
--- /dev/null
+++ b/testing/resources/bug_343.pdf
@@ -0,0 +1,19 @@
+'%PDF-1.6
+%âãÏÓ
+<<1 0 objParams%PDF-1.4
+tr%PDF-1.2
+%âãÏÓ
+7 0 obj <<
+! /Type /Font
+trailer
+<<//'/OC3
+endob*
+4 0 obj <<
+ /Resources <<
+ /FT 7 0 R
+>>
+endstream
+endobailer/%
+<<Subtj
+%%EOF
+/parenriy[1.0 +-1.0]pe:XM/Leng#th 308/Type/Sig[gh/Metadata>>%stP \ No newline at end of file