summaryrefslogtreecommitdiff
path: root/core/src/fpdfapi
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-23 10:12:19 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-23 10:12:19 -0700
commit4eeef1d776ce7368063f9a7698cfa736821d4186 (patch)
tree51d16f9714aadc1e9ac97748e00aa18cd9521aa9 /core/src/fpdfapi
parentfbfcbc5e82d89585a63a77c63e782fb6768c8dc8 (diff)
downloadpdfium-4eeef1d776ce7368063f9a7698cfa736821d4186.tar.xz
Fix segmentation fault 'denial of service condition'
BUG=467392 R=thestig@chromium.org, tsepez@chromium.org Review URL: https://codereview.chromium.org/1064713008
Diffstat (limited to 'core/src/fpdfapi')
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp7
1 files changed, 7 insertions, 0 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index db3d382a1f..912af297f5 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -7,6 +7,9 @@
#include "../../../include/fpdfapi/fpdf_parser.h"
#include "../../../include/fxcrt/fx_string.h"
+//static
+int CPDF_Object::s_nCurRefDepth = 0;
+
void CPDF_Object::Release()
{
if (m_ObjNum) {
@@ -107,6 +110,10 @@ FX_FLOAT CPDF_Object::GetNumber16() const
}
int CPDF_Object::GetInteger() const
{
+ CFX_AutoRestorer<int> restorer(&s_nCurRefDepth);
+ if (++s_nCurRefDepth > OBJECT_REF_MAX_DEPTH) {
+ return 0;
+ }
switch (m_Type) {
case PDFOBJ_BOOLEAN:
return ((CPDF_Boolean*)this)->m_bValue;