summaryrefslogtreecommitdiff
path: root/core/fxcrt/xml
diff options
context:
space:
mode:
authorRyan Harrison <rharrison@chromium.org>2018-08-03 19:45:26 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-03 19:45:26 +0000
commite819c2057ffdea90fef40d5801aec22ecd8571cd (patch)
tree778870a39298b26d70de17bfcc3c2a76202601fb /core/fxcrt/xml
parent2958a8faf500b9c01ca968ee46fe89795eafe2a7 (diff)
downloadpdfium-e819c2057ffdea90fef40d5801aec22ecd8571cd.tar.xz
Make CFX_XMLParser less permissive
Currently the parser will accept arbitrary garbage before the first element begins. This is causing issues with ClusterFuzz since it generates a lot of trash inputs which take a long time to parse inspite of being invalid. This CL adds in a check of how deep the parse is when dealing with text, and if it is at the top level scope, then only accept the beginning of the root node. BUG=chromium:863098 Change-Id: Ie45114ecf488f7e8a68a120d153033c7089d5cdc Reviewed-on: https://pdfium-review.googlesource.com/39470 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fxcrt/xml')
-rw-r--r--core/fxcrt/xml/cfx_xmlparser.cpp5
1 files changed, 4 insertions, 1 deletions
diff --git a/core/fxcrt/xml/cfx_xmlparser.cpp b/core/fxcrt/xml/cfx_xmlparser.cpp
index 094daac889..115b3e7e92 100644
--- a/core/fxcrt/xml/cfx_xmlparser.cpp
+++ b/core/fxcrt/xml/cfx_xmlparser.cpp
@@ -92,7 +92,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) {
FX_SAFE_SIZE_T alloc_size_safe = m_iXMLPlaneSize;
alloc_size_safe += 1; // For NUL.
- if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0)
+ if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0 ||
+ m_iXMLPlaneSize <= 0)
return false;
std::vector<wchar_t> buffer;
@@ -133,6 +134,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) {
current_parser_state = FDE_XmlSyntaxState::Node;
}
} else {
+ if (node_type_stack.size() <= 0 && ch && !FXSYS_iswspace(ch))
+ return false;
ProcessTextChar(ch);
current_buffer_idx++;
}