Merge to XFA: Fix infinite loop caused by parsing same indirect objects

BUG=pdfium:343
TBR=thestig@chromium.org

Review URL: https://codereview.chromium.org/1569343002 .

(cherry picked from commit 149f1db8bba85bdf2b40d330c38f2478695ca0d5)

Review URL: https://codereview.chromium.org/1575663002 .

1 files changed, 19 insertions, 0 deletions

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index ad97d1f369..236ecaa837 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -36,6 +36,20 @@ struct SearchTagRecord {
   FX_DWORD m_Offset;
 };
 
+template <typename T>
+class ScopedSetInsertion {
+ public:
+  ScopedSetInsertion(std::set<T>* org_set, T elem)
+      : m_Set(org_set), m_Entry(elem) {
+    m_Set->insert(m_Entry);
+  }
+  ~ScopedSetInsertion() { m_Set->erase(m_Entry); }
+
+ private:
+  std::set<T>* const m_Set;
+  const T m_Entry;
+};
+
 int CompareFileSize(const void* p1, const void* p2) {
   return *(FX_FILESIZE*)p1 - *(FX_FILESIZE*)p2;
 }
@@ -1193,6 +1207,11 @@ CPDF_Object* CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects* pObjList,
   if (!IsValidObjectNumber(objnum))
     return nullptr;
 
+  // Prevent circular parsing the same object.
+  if (pdfium::ContainsKey(m_ParsingObjNums, objnum))
+    return nullptr;
+  ScopedSetInsertion<FX_DWORD> local_insert(&m_ParsingObjNums, objnum);
+
   if (m_V5Type[objnum] == 1 || m_V5Type[objnum] == 255) {
     FX_FILESIZE pos = m_ObjectInfo[objnum].pos;
     if (pos <= 0)