diff options
author | weili <weili@chromium.org> | 2016-08-23 22:08:37 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-23 22:08:37 -0700 |
commit | a470b5e5371d0674d06068ec38d0d3c3279e85e1 (patch) | |
tree | e13f893084515082052e30c1cb8d94ec6303e38b /core/fpdfapi/fpdf_parser/cpdf_array.cpp | |
parent | 0dadcc6fdab7ad1f2ee95d763f31aad5d3534f93 (diff) | |
download | pdfium-a470b5e5371d0674d06068ec38d0d3c3279e85e1.tar.xz |
Fix stack overflow in object Clone() functions
For some complex objects such as CPDF_Dictionary, CPDF_Array,
CPDF_Stream, and CPDF_Reference, Clone() could be executed with
infinite recursion to cause the stack overflow. Fix this by
checking already cloned objects to avoid recursion.
BUG=pdfium:513
Review-Url: https://codereview.chromium.org/2250533002
Diffstat (limited to 'core/fpdfapi/fpdf_parser/cpdf_array.cpp')
-rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_array.cpp | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_array.cpp b/core/fpdfapi/fpdf_parser/cpdf_array.cpp index a047b3af7b..83f99c215b 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_array.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_array.cpp @@ -11,10 +11,14 @@ #include "core/fpdfapi/fpdf_parser/include/cpdf_reference.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_string.h" +#include "third_party/base/stl_util.h" CPDF_Array::CPDF_Array() {} CPDF_Array::~CPDF_Array() { + // Mark the object as deleted so that it will not be deleted again + // in case of cyclic references. + m_ObjNum = kInvalidObjNum; for (auto& it : m_Objects) { if (it) it->Release(); @@ -37,11 +41,19 @@ const CPDF_Array* CPDF_Array::AsArray() const { return this; } -CPDF_Object* CPDF_Array::Clone(FX_BOOL bDirect) const { +CPDF_Object* CPDF_Array::Clone() const { + return CloneObjectNonCyclic(false); +} + +CPDF_Object* CPDF_Array::CloneNonCyclic( + bool bDirect, + std::set<const CPDF_Object*>* pVisited) const { + pVisited->insert(this); CPDF_Array* pCopy = new CPDF_Array(); for (size_t i = 0; i < GetCount(); i++) { CPDF_Object* value = m_Objects.at(i); - pCopy->m_Objects.push_back(value->Clone(bDirect)); + if (!pdfium::ContainsKey(*pVisited, value)) + pCopy->m_Objects.push_back(value->CloneNonCyclic(bDirect, pVisited)); } return pCopy; } |