Merge to XFA: Fix segmentation fault 'denial of service condition'

BUG=467392 R=thestig@chromium.org, tsepez@chromium.org Review URL: https://codereview.chromium.org/1064713008
author: JUN FANG <jun_fang@foxitsoftware.com> 2015-04-23 10:12:19 -0700
committer: JUN FANG <jun_fang@foxitsoftware.com> 2015-04-23 10:20:51 -0700
commit: f99882e726d4a78e1b8fecad8b478276fbdf9c86 (patch)
tree: b2926f3e3b56f522f206a9276f6c97d271fe5ee9 /core/src
parent: b208774174e102da9f218d89bf8a3af7a0e37f09 (diff)
download: pdfium-f99882e726d4a78e1b8fecad8b478276fbdf9c86.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index 18f06d6a14..c70e94c984 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -7,6 +7,9 @@
 #include "../../../include/fpdfapi/fpdf_parser.h"
 #include "../../../include/fxcrt/fx_string.h"
 
+//static
+int CPDF_Object::s_nCurRefDepth = 0;
+
 void CPDF_Object::Release()
 {
     if (m_ObjNum) {
@@ -107,6 +110,10 @@ FX_FLOAT CPDF_Object::GetNumber16() const
 }
 int CPDF_Object::GetInteger() const
 {
+    CFX_AutoRestorer<int> restorer(&s_nCurRefDepth);
+    if (++s_nCurRefDepth > OBJECT_REF_MAX_DEPTH) {
+        return 0;
+    }
     switch (m_Type) {
         case PDFOBJ_BOOLEAN:
             return ((CPDF_Boolean*)this)->m_bValue;
author	JUN FANG <jun_fang@foxitsoftware.com>	2015-04-23 10:12:19 -0700
committer	JUN FANG <jun_fang@foxitsoftware.com>	2015-04-23 10:20:51 -0700
commit	f99882e726d4a78e1b8fecad8b478276fbdf9c86 (patch)
tree	b2926f3e3b56f522f206a9276f6c97d271fe5ee9 /core/src
parent	b208774174e102da9f218d89bf8a3af7a0e37f09 (diff)
download	pdfium-f99882e726d4a78e1b8fecad8b478276fbdf9c86.tar.xz