diff options
author | Lei Zhang <thestig@chromium.org> | 2017-04-28 11:51:08 -0700 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-04-28 19:06:30 +0000 |
commit | 7831f57f04ad3f581222b0a23eeb736601f98e96 (patch) | |
tree | 98e12dd2169dfceda9bf3450ff3e0ae9ef46dc1c /core | |
parent | 66568bcd683dd7b18672cb3aebca4487e9203519 (diff) | |
download | pdfium-7831f57f04ad3f581222b0a23eeb736601f98e96.tar.xz |
Fix stack overflow in CFieldTree::Node::GetFieldInternal().
Limit recursion depth, just like in CountFieldsInternal().
BUG=chromium:716523
Change-Id: I70c052347a1d8fb9a4dbc065a1c9af55c02818f2
Reviewed-on: https://pdfium-review.googlesource.com/4612
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/fpdfdoc/cpdf_interform.cpp | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/core/fpdfdoc/cpdf_interform.cpp b/core/fpdfdoc/cpdf_interform.cpp index f498617b27..5fbb3957ab 100644 --- a/core/fpdfdoc/cpdf_interform.cpp +++ b/core/fpdfdoc/cpdf_interform.cpp @@ -408,7 +408,7 @@ class CFieldTree { CPDF_FormField* GetFieldAtIndex(size_t index) { size_t nFieldsToGo = index; - return GetFieldInternal(&nFieldsToGo); + return GetFieldInternal(&nFieldsToGo, 0); } size_t CountFields() const { return CountFieldsInternal(0); } @@ -422,7 +422,10 @@ class CFieldTree { const CFX_WideString& GetShortName() const { return m_ShortName; } private: - CPDF_FormField* GetFieldInternal(size_t* pFieldsToGo) { + CPDF_FormField* GetFieldInternal(size_t* pFieldsToGo, int nLevel) { + if (nLevel > nMaxRecursion) + return nullptr; + if (m_pField) { if (*pFieldsToGo == 0) return m_pField.get(); @@ -430,7 +433,8 @@ class CFieldTree { --*pFieldsToGo; } for (size_t i = 0; i < GetChildrenCount(); ++i) { - CPDF_FormField* pField = GetChildAt(i)->GetFieldInternal(pFieldsToGo); + CPDF_FormField* pField = + GetChildAt(i)->GetFieldInternal(pFieldsToGo, nLevel + 1); if (pField) return pField; } |