summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorOliver Chang <ochang@chromium.org>2015-10-22 16:42:33 -0700
committerOliver Chang <ochang@chromium.org>2015-10-22 16:42:33 -0700
commit361a48c04bf14db54731ac99c3c3411b62684775 (patch)
tree6661a83e3c66dbb61195a95dd5183870c39cee24 /core
parent2f604d58ba2d84034c68094bc6d7b63ba321821e (diff)
downloadpdfium-361a48c04bf14db54731ac99c3c3411b62684775.tar.xz
Merge to XFA: Set a recursion limit on CPDF_DataAvail::CheckPageNode
This limit mirrors FX_MAX_PAGE_LEVEL in fpdf_parser_document.cpp Clean merge. TBR=thestig@chromium.org BUG=544880 Review URL: https://codereview.chromium.org/1421743003 . (cherry picked from commit 3bfb1dcf56f8470b693ad1126e24e65f9d17926c) Review URL: https://codereview.chromium.org/1418173003 .
Diffstat (limited to 'core')
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp14
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp9
2 files changed, 19 insertions, 4 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 5de4a41fe1..fe8975fba0 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2760,6 +2760,7 @@ class CPDF_DataAvail final : public IPDF_DataAvail {
protected:
static const int kMaxDataAvailRecursionDepth = 64;
static int s_CurrentDataAvailRecursionDepth;
+ static const int kMaxPageRecursionDepth = 1024;
FX_DWORD GetObjectSize(FX_DWORD objnum, FX_FILESIZE& offset);
FX_BOOL IsObjectsAvail(CFX_PtrArray& obj_array,
@@ -2812,7 +2813,8 @@ class CPDF_DataAvail final : public IPDF_DataAvail {
FX_BOOL CheckPageNode(CPDF_PageNode& pageNodes,
int32_t iPage,
int32_t& iCount,
- IFX_DownloadHints* pHints);
+ IFX_DownloadHints* pHints,
+ int level);
FX_BOOL CheckUnkownPageNode(FX_DWORD dwPageNo,
CPDF_PageNode* pPageNode,
IFX_DownloadHints* pHints);
@@ -4199,7 +4201,11 @@ FX_BOOL CPDF_DataAvail::CheckUnkownPageNode(FX_DWORD dwPageNo,
FX_BOOL CPDF_DataAvail::CheckPageNode(CPDF_PageNode& pageNodes,
int32_t iPage,
int32_t& iCount,
- IFX_DownloadHints* pHints) {
+ IFX_DownloadHints* pHints,
+ int level) {
+ if (level >= kMaxPageRecursionDepth) {
+ return FALSE;
+ }
int32_t iSize = pageNodes.m_childNode.GetSize();
if (iSize <= 0 || iPage >= iSize) {
m_docStatus = PDF_DATAAVAIL_ERROR;
@@ -4224,7 +4230,7 @@ FX_BOOL CPDF_DataAvail::CheckPageNode(CPDF_PageNode& pageNodes,
}
break;
case PDF_PAGENODE_PAGES:
- if (!CheckPageNode(*pNode, iPage, iCount, pHints)) {
+ if (!CheckPageNode(*pNode, iPage, iCount, pHints, level + 1)) {
return FALSE;
}
break;
@@ -4257,7 +4263,7 @@ FX_BOOL CPDF_DataAvail::LoadDocPage(int32_t iPage, IFX_DownloadHints* pHints) {
return TRUE;
}
int32_t iCount = -1;
- return CheckPageNode(m_pageNodes, iPage, iCount, pHints);
+ return CheckPageNode(m_pageNodes, iPage, iCount, pHints, 0);
}
FX_BOOL CPDF_DataAvail::CheckPageCount(IFX_DownloadHints* pHints) {
FX_BOOL bExist = FALSE;
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp
index 96ea766d4d..b6cfc4e89f 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp
@@ -19,3 +19,12 @@ TEST_F(FPDFParserEmbeddertest, Bug_481363) {
EXPECT_NE(nullptr, page);
UnloadPage(page);
}
+
+TEST_F(FPDFParserEmbeddertest, Bug_544880) {
+ // Test self referencing /Pages object.
+ EXPECT_TRUE(OpenDocument("testing/resources/bug_544880.pdf"));
+ // Shouldn't crash. We don't check the return value here because we get the
+ // the count from the "/Count 1" in the testcase (at the time of writing)
+ // rather than the actual count (0).
+ (void)GetPageCount();
+}