Prevent duplicate parses of same data, in the same recursive descent

When parsing if there is a loop in the data being parsed, the
recursions will just keep cycling until it exhausts memory and
crashes. This CL introduces a parsed set, which a reference to is
passed down the descent. If the data being parsed at a specific stage
of the descent is already in the parsed set, then the parse returns at
that point.

BUG=chromium:759224

Change-Id: I1dca73d81020099dec03fd49aaa44cdcdf38e17e
Reviewed-on: https://pdfium-review.googlesource.com/12470
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/core/fpdfapi/page/cpdf_contentparser.h b/core/fpdfapi/page/cpdf_contentparser.h
index 1ae6efe2d7..b201f95df8 100644
--- a/core/fpdfapi/page/cpdf_contentparser.h
+++ b/core/fpdfapi/page/cpdf_contentparser.h
@@ -8,6 +8,7 @@
 #define CORE_FPDFAPI_PAGE_CPDF_CONTENTPARSER_H_
 
 #include <memory>
+#include <set>
 #include <vector>
 
 #include "core/fpdfapi/page/cpdf_pageobjectholder.h"
@@ -37,7 +38,7 @@ class CPDF_ContentParser {
              CPDF_AllStates* pGraphicStates,
              const CFX_Matrix* pParentMatrix,
              CPDF_Type3Char* pType3Char,
-             int level);
+             std::set<const uint8_t*>* parsedSet);
   void Continue(IFX_PauseIndicator* pPause);
 
  private:
@@ -58,6 +59,9 @@ class CPDF_ContentParser {
   uint8_t* m_pData;
   uint32_t m_Size;
   uint32_t m_CurrentOffset;
+  std::unique_ptr<std::set<const uint8_t*>> m_parsedSet;
+  // m_pParser has a reference to m_parsedSet, so must be below and thus
+  // destroyed first.
   std::unique_ptr<CPDF_StreamContentParser> m_pParser;
 };