Detect resursive loading of type3 font char to avoid infinite loop

The original way of detecting loops was passing a level parameter
through various functions. This missed some cases which also lead
to load type3 font char, for example, FindFont() may call
CheckType3FontMetrics() which may eventually lead to LoadChar().

The new way is to store the char loading depth, and abort when the depth
exceeds the max.

BUG=chromium:651304

Review-Url: https://codereview.chromium.org/2384853002

1 files changed, 5 insertions, 3 deletions

diff --git a/core/fpdfapi/fpdf_font/cpdf_type3font.h b/core/fpdfapi/fpdf_font/cpdf_type3font.h
index 2b840f2267..03078298f1 100644
--- a/core/fpdfapi/fpdf_font/cpdf_type3font.h
+++ b/core/fpdfapi/fpdf_font/cpdf_type3font.h
@@ -26,13 +26,13 @@ class CPDF_Type3Font : public CPDF_SimpleFont {
   bool IsType3Font() const override;
   const CPDF_Type3Font* AsType3Font() const override;
   CPDF_Type3Font* AsType3Font() override;
-  int GetCharWidthF(uint32_t charcode, int level = 0) override;
-  FX_RECT GetCharBBox(uint32_t charcode, int level = 0) override;
+  int GetCharWidthF(uint32_t charcode) override;
+  FX_RECT GetCharBBox(uint32_t charcode) override;
 
   void SetPageResources(CPDF_Dictionary* pResources) {
     m_pPageResources = pResources;
   }
-  CPDF_Type3Char* LoadChar(uint32_t charcode, int level = 0);
+  CPDF_Type3Char* LoadChar(uint32_t charcode);
   void CheckType3FontMetrics();
 
   CFX_Matrix& GetFontMatrix() { return m_FontMatrix; }
@@ -52,6 +52,8 @@ class CPDF_Type3Font : public CPDF_SimpleFont {
   CPDF_Dictionary* m_pPageResources;
   CPDF_Dictionary* m_pFontResources;
   std::map<uint32_t, std::unique_ptr<CPDF_Type3Char>> m_CacheMap;
+  // The depth char loading is in, to avoid recurive calling LoadChar().
+  int m_CharLoadingDepth;
 };
 
 #endif  // CORE_FPDFAPI_FPDF_FONT_CPDF_TYPE3FONT_H_