diff options
| author | Ryan Harrison <rharrison@chromium.org> | 2017-09-20 11:48:58 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-09-20 16:10:06 +0000 |
| commit | 4fe8ea5bba4bd505b5bd35395c68799771b0bd7d (patch) | |
| tree | 029a7acf838ab917c0ceef5b3882479055cf5602 /xfa/fxfa | |
| parent | d56fd77ef0b2e2a14ceb127283ac0e7cf7ca090b (diff) | |
| download | pdfium-4fe8ea5bba4bd505b5bd35395c68799771b0bd7d.tar.xz | |
Add in missed parse recursion depth checks
Some of the calls in CXFA_FMParser on the prase recursion had been
missed when adding in the parse depth limiting logic. The fuzzers
found them.
BUG=chromium:759295
Change-Id: Iad54beb356c4c555908797d4b58a42549c006e9e
Reviewed-on: https://pdfium-review.googlesource.com/14510
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'xfa/fxfa')
| -rw-r--r-- | xfa/fxfa/fm2js/cxfa_fmparser.cpp | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp index 16538503de..dde994318c 100644 --- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp +++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp @@ -661,6 +661,10 @@ CXFA_FMParser::ParsePrimaryExpression() { std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParsePostExpression( std::unique_ptr<CXFA_FMSimpleExpression> expr) { + CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth); + if (HasError() || !IncrementParseDepthAndCheck()) + return nullptr; + if (HasError()) return nullptr; @@ -933,6 +937,10 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParseParenExpression() { } std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseBlockExpression() { + CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth); + if (HasError() || !IncrementParseDepthAndCheck()) + return nullptr; + if (HasError()) return nullptr; @@ -1065,6 +1073,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseWhileExpression() { std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParseSubassignmentInForExpression() { + CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth); + if (HasError() || !IncrementParseDepthAndCheck()) + return nullptr; + if (HasError()) return nullptr; @@ -1148,6 +1160,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForExpression() { } std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForeachExpression() { + CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth); + if (HasError() || !IncrementParseDepthAndCheck()) + return nullptr; + if (HasError()) return nullptr; @@ -1193,6 +1209,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForeachExpression() { } std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseDoExpression() { + CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth); + if (HasError() || !IncrementParseDepthAndCheck()) + return nullptr; + if (HasError()) return nullptr; |