Prevent duplicate parses of same data, in the same recursive descent

When parsing if there is a loop in the data being parsed, the
recursions will just keep cycling until it exhausts memory and
crashes. This CL introduces a parsed set, which a reference to is
passed down the descent. If the data being parsed at a specific stage
of the descent is already in the parsed set, then the parse returns at
that point.

BUG=chromium:759224

Change-Id: I1dca73d81020099dec03fd49aaa44cdcdf38e17e
Reviewed-on: https://pdfium-review.googlesource.com/12470
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

1 files changed, 3 insertions, 2 deletions

diff --git a/core/fpdfapi/page/cpdf_streamcontentparser.h b/core/fpdfapi/page/cpdf_streamcontentparser.h
index 5cbe0ce734..a027129c31 100644
--- a/core/fpdfapi/page/cpdf_streamcontentparser.h
+++ b/core/fpdfapi/page/cpdf_streamcontentparser.h
@@ -9,6 +9,7 @@
 
 #include <map>
 #include <memory>
+#include <set>
 #include <vector>
 
 #include "core/fpdfapi/page/cpdf_contentmark.h"
@@ -39,7 +40,7 @@ class CPDF_StreamContentParser {
                            CPDF_Dictionary* pResources,
                            const CFX_FloatRect& rcBBox,
                            CPDF_AllStates* pAllStates,
-                           int level);
+                           std::set<const uint8_t*>* parsedSet);
   ~CPDF_StreamContentParser();
 
   uint32_t Parse(const uint8_t* pData, uint32_t dwSize, uint32_t max_cost);
@@ -198,7 +199,7 @@ class CPDF_StreamContentParser {
   CFX_UnownedPtr<CPDF_Dictionary> m_pParentResources;
   CFX_UnownedPtr<CPDF_Dictionary> m_pResources;
   CFX_UnownedPtr<CPDF_PageObjectHolder> m_pObjectHolder;
-  const int m_Level;
+  CFX_UnownedPtr<std::set<const uint8_t*>> m_ParsedSet;
   CFX_Matrix m_mtContentToUser;
   const CFX_FloatRect m_BBox;
   ContentParam m_ParamBuf[kParamBufSize];