summaryrefslogtreecommitdiff
path: root/xfa
diff options
context:
space:
mode:
authorRyan Harrison <rharrison@chromium.org>2017-09-20 11:48:58 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-09-20 16:10:06 +0000
commit4fe8ea5bba4bd505b5bd35395c68799771b0bd7d (patch)
tree029a7acf838ab917c0ceef5b3882479055cf5602 /xfa
parentd56fd77ef0b2e2a14ceb127283ac0e7cf7ca090b (diff)
downloadpdfium-4fe8ea5bba4bd505b5bd35395c68799771b0bd7d.tar.xz
Add in missed parse recursion depth checks
Some of the calls in CXFA_FMParser on the prase recursion had been missed when adding in the parse depth limiting logic. The fuzzers found them. BUG=chromium:759295 Change-Id: Iad54beb356c4c555908797d4b58a42549c006e9e Reviewed-on: https://pdfium-review.googlesource.com/14510 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'xfa')
-rw-r--r--xfa/fxfa/fm2js/cxfa_fmparser.cpp20
1 files changed, 20 insertions, 0 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index 16538503de..dde994318c 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -661,6 +661,10 @@ CXFA_FMParser::ParsePrimaryExpression() {
std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParsePostExpression(
std::unique_ptr<CXFA_FMSimpleExpression> expr) {
+ CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+ if (HasError() || !IncrementParseDepthAndCheck())
+ return nullptr;
+
if (HasError())
return nullptr;
@@ -933,6 +937,10 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParseParenExpression() {
}
std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseBlockExpression() {
+ CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+ if (HasError() || !IncrementParseDepthAndCheck())
+ return nullptr;
+
if (HasError())
return nullptr;
@@ -1065,6 +1073,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseWhileExpression() {
std::unique_ptr<CXFA_FMSimpleExpression>
CXFA_FMParser::ParseSubassignmentInForExpression() {
+ CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+ if (HasError() || !IncrementParseDepthAndCheck())
+ return nullptr;
+
if (HasError())
return nullptr;
@@ -1148,6 +1160,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForExpression() {
}
std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForeachExpression() {
+ CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+ if (HasError() || !IncrementParseDepthAndCheck())
+ return nullptr;
+
if (HasError())
return nullptr;
@@ -1193,6 +1209,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForeachExpression() {
}
std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseDoExpression() {
+ CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+ if (HasError() || !IncrementParseDepthAndCheck())
+ return nullptr;
+
if (HasError())
return nullptr;