diff options
| author | weili <weili@chromium.org> | 2016-08-23 22:08:37 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-08-23 22:08:37 -0700 |
| commit | a470b5e5371d0674d06068ec38d0d3c3279e85e1 (patch) | |
| tree | e13f893084515082052e30c1cb8d94ec6303e38b /core/fpdfapi/fpdf_parser/cpdf_stream.cpp | |
| parent | 0dadcc6fdab7ad1f2ee95d763f31aad5d3534f93 (diff) | |
| download | pdfium-a470b5e5371d0674d06068ec38d0d3c3279e85e1.tar.xz | |
Fix stack overflow in object Clone() functions
For some complex objects such as CPDF_Dictionary, CPDF_Array,
CPDF_Stream, and CPDF_Reference, Clone() could be executed with
infinite recursion to cause the stack overflow. Fix this by
checking already cloned objects to avoid recursion.
BUG=pdfium:513
Review-Url: https://codereview.chromium.org/2250533002
Diffstat (limited to 'core/fpdfapi/fpdf_parser/cpdf_stream.cpp')
| -rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_stream.cpp | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_stream.cpp b/core/fpdfapi/fpdf_parser/cpdf_stream.cpp index 7e65c25533..58b9767dfb 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_stream.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_stream.cpp @@ -9,6 +9,7 @@ #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_stream_acc.h" #include "core/fpdfapi/fpdf_parser/include/fpdf_parser_decode.h" +#include "third_party/base/stl_util.h" CPDF_Stream::CPDF_Stream(uint8_t* pData, uint32_t size, CPDF_Dictionary* pDict) : m_pDict(pDict), @@ -17,6 +18,7 @@ CPDF_Stream::CPDF_Stream(uint8_t* pData, uint32_t size, CPDF_Dictionary* pDict) m_pDataBuf(pData) {} CPDF_Stream::~CPDF_Stream() { + m_ObjNum = kInvalidObjNum; if (IsMemoryBased()) FX_Free(m_pDataBuf); @@ -71,13 +73,22 @@ void CPDF_Stream::InitStream(const uint8_t* pData, m_pDict->SetAtInteger("Length", size); } -CPDF_Object* CPDF_Stream::Clone(FX_BOOL bDirect) const { +CPDF_Object* CPDF_Stream::Clone() const { + return CloneObjectNonCyclic(false); +} + +CPDF_Object* CPDF_Stream::CloneNonCyclic( + bool bDirect, + std::set<const CPDF_Object*>* pVisited) const { + pVisited->insert(this); CPDF_StreamAcc acc; acc.LoadAllData(this, TRUE); uint32_t streamSize = acc.GetSize(); CPDF_Dictionary* pDict = GetDict(); - if (pDict) - pDict = ToDictionary(pDict->Clone(bDirect)); + if (pDict && !pdfium::ContainsKey(*pVisited, pDict)) { + pDict = ToDictionary( + static_cast<CPDF_Object*>(pDict)->CloneNonCyclic(bDirect, pVisited)); + } return new CPDF_Stream(acc.DetachData(), streamSize, pDict); } |