diff options
author | Oliver Chang <ochang@chromium.org> | 2015-10-22 16:42:33 -0700 |
---|---|---|
committer | Oliver Chang <ochang@chromium.org> | 2015-10-22 16:42:33 -0700 |
commit | 361a48c04bf14db54731ac99c3c3411b62684775 (patch) | |
tree | 6661a83e3c66dbb61195a95dd5183870c39cee24 /core/src | |
parent | 2f604d58ba2d84034c68094bc6d7b63ba321821e (diff) | |
download | pdfium-361a48c04bf14db54731ac99c3c3411b62684775.tar.xz |
Merge to XFA: Set a recursion limit on CPDF_DataAvail::CheckPageNode
This limit mirrors FX_MAX_PAGE_LEVEL in fpdf_parser_document.cpp
Clean merge.
TBR=thestig@chromium.org
BUG=544880
Review URL: https://codereview.chromium.org/1421743003 .
(cherry picked from commit 3bfb1dcf56f8470b693ad1126e24e65f9d17926c)
Review URL: https://codereview.chromium.org/1418173003 .
Diffstat (limited to 'core/src')
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 14 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp | 9 |
2 files changed, 19 insertions, 4 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 5de4a41fe1..fe8975fba0 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -2760,6 +2760,7 @@ class CPDF_DataAvail final : public IPDF_DataAvail { protected: static const int kMaxDataAvailRecursionDepth = 64; static int s_CurrentDataAvailRecursionDepth; + static const int kMaxPageRecursionDepth = 1024; FX_DWORD GetObjectSize(FX_DWORD objnum, FX_FILESIZE& offset); FX_BOOL IsObjectsAvail(CFX_PtrArray& obj_array, @@ -2812,7 +2813,8 @@ class CPDF_DataAvail final : public IPDF_DataAvail { FX_BOOL CheckPageNode(CPDF_PageNode& pageNodes, int32_t iPage, int32_t& iCount, - IFX_DownloadHints* pHints); + IFX_DownloadHints* pHints, + int level); FX_BOOL CheckUnkownPageNode(FX_DWORD dwPageNo, CPDF_PageNode* pPageNode, IFX_DownloadHints* pHints); @@ -4199,7 +4201,11 @@ FX_BOOL CPDF_DataAvail::CheckUnkownPageNode(FX_DWORD dwPageNo, FX_BOOL CPDF_DataAvail::CheckPageNode(CPDF_PageNode& pageNodes, int32_t iPage, int32_t& iCount, - IFX_DownloadHints* pHints) { + IFX_DownloadHints* pHints, + int level) { + if (level >= kMaxPageRecursionDepth) { + return FALSE; + } int32_t iSize = pageNodes.m_childNode.GetSize(); if (iSize <= 0 || iPage >= iSize) { m_docStatus = PDF_DATAAVAIL_ERROR; @@ -4224,7 +4230,7 @@ FX_BOOL CPDF_DataAvail::CheckPageNode(CPDF_PageNode& pageNodes, } break; case PDF_PAGENODE_PAGES: - if (!CheckPageNode(*pNode, iPage, iCount, pHints)) { + if (!CheckPageNode(*pNode, iPage, iCount, pHints, level + 1)) { return FALSE; } break; @@ -4257,7 +4263,7 @@ FX_BOOL CPDF_DataAvail::LoadDocPage(int32_t iPage, IFX_DownloadHints* pHints) { return TRUE; } int32_t iCount = -1; - return CheckPageNode(m_pageNodes, iPage, iCount, pHints); + return CheckPageNode(m_pageNodes, iPage, iCount, pHints, 0); } FX_BOOL CPDF_DataAvail::CheckPageCount(IFX_DownloadHints* pHints) { FX_BOOL bExist = FALSE; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp index 96ea766d4d..b6cfc4e89f 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp @@ -19,3 +19,12 @@ TEST_F(FPDFParserEmbeddertest, Bug_481363) { EXPECT_NE(nullptr, page); UnloadPage(page); } + +TEST_F(FPDFParserEmbeddertest, Bug_544880) { + // Test self referencing /Pages object. + EXPECT_TRUE(OpenDocument("testing/resources/bug_544880.pdf")); + // Shouldn't crash. We don't check the return value here because we get the + // the count from the "/Count 1" in the testcase (at the time of writing) + // rather than the actual count (0). + (void)GetPageCount(); +} |