diff options
| author | JUN FANG <jun_fang@foxitsoftware.com> | 2015-04-23 10:12:19 -0700 |
|---|---|---|
| committer | JUN FANG <jun_fang@foxitsoftware.com> | 2015-04-23 10:20:51 -0700 |
| commit | f99882e726d4a78e1b8fecad8b478276fbdf9c86 (patch) | |
| tree | b2926f3e3b56f522f206a9276f6c97d271fe5ee9 /core | |
| parent | b208774174e102da9f218d89bf8a3af7a0e37f09 (diff) | |
| download | pdfium-f99882e726d4a78e1b8fecad8b478276fbdf9c86.tar.xz | |
Merge to XFA: Fix segmentation fault 'denial of service condition'
BUG=467392
R=thestig@chromium.org, tsepez@chromium.org
Review URL: https://codereview.chromium.org/1064713008
Diffstat (limited to 'core')
| -rw-r--r-- | core/include/fpdfapi/fpdf_objects.h | 50 | ||||
| -rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp | 7 |
2 files changed, 32 insertions, 25 deletions
diff --git a/core/include/fpdfapi/fpdf_objects.h b/core/include/fpdfapi/fpdf_objects.h index df5803c76c..e4a0d3701d 100644 --- a/core/include/fpdfapi/fpdf_objects.h +++ b/core/include/fpdfapi/fpdf_objects.h @@ -39,12 +39,12 @@ class CPDF_Object { public: - int GetType() const + int GetType() const { return m_Type; } - FX_DWORD GetObjNum() const + FX_DWORD GetObjNum() const { return m_ObjNum; } @@ -54,51 +54,51 @@ public: return m_GenNum; } - FX_BOOL IsIdentical(CPDF_Object* pObj) const; + FX_BOOL IsIdentical(CPDF_Object* pObj) const; - CPDF_Object* Clone(FX_BOOL bDirect = FALSE) const; + CPDF_Object* Clone(FX_BOOL bDirect = FALSE) const; - CPDF_Object* CloneRef(CPDF_IndirectObjects* pObjs) const; + CPDF_Object* CloneRef(CPDF_IndirectObjects* pObjs) const; - CPDF_Object* GetDirect() const; + CPDF_Object* GetDirect() const; - void Release(); + void Release(); - CFX_ByteString GetString() const; - - CFX_ByteStringC GetConstString() const; + CFX_ByteString GetString() const; - CFX_WideString GetUnicodeText(CFX_CharMap* pCharMap = NULL) const; + CFX_ByteStringC GetConstString() const; - FX_FLOAT GetNumber() const; + CFX_WideString GetUnicodeText(CFX_CharMap* pCharMap = NULL) const; + FX_FLOAT GetNumber() const; - FX_FLOAT GetNumber16() const; + FX_FLOAT GetNumber16() const; - int GetInteger() const; + int GetInteger() const; - CPDF_Dictionary* GetDict() const; + CPDF_Dictionary* GetDict() const; - CPDF_Array* GetArray() const; + CPDF_Array* GetArray() const; - void SetString(const CFX_ByteString& str); + void SetString(const CFX_ByteString& str); - void SetUnicodeText(FX_LPCWSTR pUnicodes, int len = -1); + void SetUnicodeText(FX_LPCWSTR pUnicodes, int len = -1); - int GetDirectType() const; + int GetDirectType() const; - FX_BOOL IsModified() const + FX_BOOL IsModified() const { return FALSE; } protected: CPDF_Object(FX_DWORD type) : m_Type(type), m_ObjNum(0), m_GenNum(0) { } ~CPDF_Object() { } + void Destroy(); - void Destroy(); - - FX_DWORD m_Type; - FX_DWORD m_ObjNum; - FX_DWORD m_GenNum; + static const int OBJECT_REF_MAX_DEPTH = 128; + static int s_nCurRefDepth; + FX_DWORD m_Type; + FX_DWORD m_ObjNum; + FX_DWORD m_GenNum; friend class CPDF_IndirectObjects; friend class CPDF_Parser; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp index 18f06d6a14..c70e94c984 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp @@ -7,6 +7,9 @@ #include "../../../include/fpdfapi/fpdf_parser.h" #include "../../../include/fxcrt/fx_string.h" +//static +int CPDF_Object::s_nCurRefDepth = 0; + void CPDF_Object::Release() { if (m_ObjNum) { @@ -107,6 +110,10 @@ FX_FLOAT CPDF_Object::GetNumber16() const } int CPDF_Object::GetInteger() const { + CFX_AutoRestorer<int> restorer(&s_nCurRefDepth); + if (++s_nCurRefDepth > OBJECT_REF_MAX_DEPTH) { + return 0; + } switch (m_Type) { case PDFOBJ_BOOLEAN: return ((CPDF_Boolean*)this)->m_bValue; |