Avoid long assignment chain in FM parser

We only parse FM right before translating to JS. Our current implementation of
assignment will duplicate to first expression's ToJavascript. So having a long
chain of assignments will result in a huge ToJavascript.

Bug: chromium:665087
Change-Id: I542371b5787113be2f2d686153ed0a6c48191bab
Reviewed-on: https://pdfium-review.googlesource.com/4030
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

3 files changed, 15 insertions, 0 deletions

diff --git a/xfa/fxfa/fm2js/xfa_error.cpp b/xfa/fxfa/fm2js/xfa_error.cpp
index 9ca886954a..1d31ce6958 100644
--- a/xfa/fxfa/fm2js/xfa_error.cpp
+++ b/xfa/fxfa/fm2js/xfa_error.cpp
@@ -15,3 +15,5 @@ const wchar_t kFMErrExpectedEndIf[] = L"expected 'endif' instead of '%s'";
 const wchar_t kFMErrUnexpectedExpression[] = L"unexpected expression '%s'";
 const wchar_t kFMErrExpectedNonEmptyExpression[] =
     L"expected non-empty expression";
+const wchar_t kFMErrLongAssignmentChain[] =
+    L"long assignment chains are unsupported";
diff --git a/xfa/fxfa/fm2js/xfa_error.h b/xfa/fxfa/fm2js/xfa_error.h
index d6bb72bb34..b6621da440 100644
--- a/xfa/fxfa/fm2js/xfa_error.h
+++ b/xfa/fxfa/fm2js/xfa_error.h
@@ -17,6 +17,7 @@ extern const wchar_t kFMErrExpectedToken[];
 extern const wchar_t kFMErrExpectedEndIf[];
 extern const wchar_t kFMErrUnexpectedExpression[];
 extern const wchar_t kFMErrExpectedNonEmptyExpression[];
+extern const wchar_t kFMErrLongAssignmentChain[];
 
 class CXFA_FMErrorInfo {
  public:
diff --git a/xfa/fxfa/fm2js/xfa_fmparse.cpp b/xfa/fxfa/fm2js/xfa_fmparse.cpp
index 09e8f36298..c1f609315b 100644
--- a/xfa/fxfa/fm2js/xfa_fmparse.cpp
+++ b/xfa/fxfa/fm2js/xfa_fmparse.cpp
@@ -12,6 +12,12 @@
 
 #include "third_party/base/ptr_util.h"
 
+namespace {
+
+const int kMaxAssignmentChainLength = 12;
+
+}  // namespace
+
 CXFA_FMParse::CXFA_FMParse(const CFX_WideStringC& wsFormcalc,
                            CXFA_FMErrorInfo* pErrorInfo)
     : m_pToken(nullptr), m_pErrorInfo(pErrorInfo) {
@@ -208,9 +214,12 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParse::ParseVarExpression() {
 std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParse::ParseSimpleExpression() {
   uint32_t line = m_pToken->m_uLinenum;
   std::unique_ptr<CXFA_FMSimpleExpression> pExp1 = ParseLogicalOrExpression();
+  int level = 1;
   while (m_pToken->m_type == TOKassign) {
     NextToken();
     std::unique_ptr<CXFA_FMSimpleExpression> pExp2 = ParseLogicalOrExpression();
+    if (level++ == kMaxAssignmentChainLength)
+      Error(m_pToken->m_uLinenum, kFMErrLongAssignmentChain);
     if (m_pErrorInfo->message.IsEmpty()) {
       pExp1 = pdfium::MakeUnique<CXFA_FMAssignExpression>(
           line, TOKassign, std::move(pExp1), std::move(pExp2));
@@ -776,9 +785,12 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParse::ParseParenExpression() {
   uint32_t line = m_pToken->m_uLinenum;
   std::unique_ptr<CXFA_FMSimpleExpression> pExp1 = ParseLogicalOrExpression();
 
+  int level = 1;
   while (m_pToken->m_type == TOKassign) {
     NextToken();
     std::unique_ptr<CXFA_FMSimpleExpression> pExp2 = ParseLogicalOrExpression();
+    if (level++ == kMaxAssignmentChainLength)
+      Error(m_pToken->m_uLinenum, kFMErrLongAssignmentChain);
     if (m_pErrorInfo->message.IsEmpty()) {
       pExp1 = pdfium::MakeUnique<CXFA_FMAssignExpression>(
           line, TOKassign, std::move(pExp1), std::move(pExp2));