diff options
author | Jun Fang <jun_fang@foxitsoftware.com> | 2015-12-01 12:23:42 +0800 |
---|---|---|
committer | Jun Fang <jun_fang@foxitsoftware.com> | 2015-12-01 12:23:42 +0800 |
commit | 0e4e36878682e22678bb061e77d73f3a4581985c (patch) | |
tree | 0475185ad24bfc66cd02621605c5eab7cad63d4b /xfa | |
parent | cd0e00a305479505b9c759e86bc8ebfd4ecdc4f4 (diff) | |
download | pdfium-0e4e36878682e22678bb061e77d73f3a4581985c.tar.xz |
Fix a crasher due to recursion in CXFA_WidgetAcc::ExecuteScript()
BUG=pdfium:292
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1486573002 .
Diffstat (limited to 'xfa')
-rw-r--r-- | xfa/include/fxfa/fxfa_widget.h | 1 | ||||
-rw-r--r-- | xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp | 15 |
2 files changed, 12 insertions, 4 deletions
diff --git a/xfa/include/fxfa/fxfa_widget.h b/xfa/include/fxfa/fxfa_widget.h index 634a287628..3040dafcbc 100644 --- a/xfa/include/fxfa/fxfa_widget.h +++ b/xfa/include/fxfa/fxfa_widget.h @@ -113,5 +113,6 @@ class CXFA_WidgetAcc : public CXFA_WidgetData { void StartTextLayout(FX_FLOAT& fCalcWidth, FX_FLOAT& fCalcHeight);
CXFA_FFDocView* m_pDocView;
CXFA_WidgetLayoutData* m_pLayoutData;
+ uint32_t m_nRecursionDepth;
};
#endif
diff --git a/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp b/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp index 34d87f44c1..285ea544ac 100644 --- a/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp +++ b/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp @@ -175,7 +175,10 @@ class CXFA_ImageEditData : public CXFA_FieldLayoutData { int32_t m_iImageYDpi;
};
CXFA_WidgetAcc::CXFA_WidgetAcc(CXFA_FFDocView* pDocView, CXFA_Node* pNode)
- : CXFA_WidgetData(pNode), m_pDocView(pDocView), m_pLayoutData(NULL) {}
+ : CXFA_WidgetData(pNode),
+ m_pDocView(pDocView),
+ m_pLayoutData(NULL),
+ m_nRecursionDepth(0) {}
CXFA_WidgetAcc::~CXFA_WidgetAcc() {
if (m_pLayoutData) {
m_pLayoutData->Release();
@@ -630,6 +633,9 @@ int32_t CXFA_WidgetAcc::ProcessValidate(int32_t iFlags) { int32_t CXFA_WidgetAcc::ExecuteScript(CXFA_Script script,
CXFA_EventParam* pEventParam,
FXJSE_HVALUE* pRetValue) {
+ static const uint32_t MAX_RECURSION_DEPTH = 2;
+ if (m_nRecursionDepth > MAX_RECURSION_DEPTH)
+ return XFA_EVENTERROR_Sucess;
FXSYS_assert(pEventParam);
if (!script) {
return XFA_EVENTERROR_NotExist;
@@ -656,9 +662,10 @@ int32_t CXFA_WidgetAcc::ExecuteScript(CXFA_Script script, pContext->SetNodesOfRunScript(&refNodes);
}
FXJSE_HVALUE hRetValue = FXJSE_Value_Create(pContext->GetRuntime());
- FX_BOOL bRet = FALSE;
- bRet = pContext->RunScript((XFA_SCRIPTLANGTYPE)eScriptType, wsExpression,
- hRetValue, m_pNode);
+ ++m_nRecursionDepth;
+ FX_BOOL bRet = pContext->RunScript((XFA_SCRIPTLANGTYPE)eScriptType,
+ wsExpression, hRetValue, m_pNode);
+ --m_nRecursionDepth;
int32_t iRet = XFA_EVENTERROR_Error;
if (bRet) {
iRet = XFA_EVENTERROR_Sucess;
|