summaryrefslogtreecommitdiff
path: root/xfa
diff options
context:
space:
mode:
Diffstat (limited to 'xfa')
-rw-r--r--xfa/fxfa/parser/cxfa_document_parser.cpp7
-rw-r--r--xfa/fxfa/parser/cxfa_document_parser.h1
2 files changed, 8 insertions, 0 deletions
diff --git a/xfa/fxfa/parser/cxfa_document_parser.cpp b/xfa/fxfa/parser/cxfa_document_parser.cpp
index 599662a160..8e5ff9fbde 100644
--- a/xfa/fxfa/parser/cxfa_document_parser.cpp
+++ b/xfa/fxfa/parser/cxfa_document_parser.cpp
@@ -9,6 +9,7 @@
#include <utility>
#include <vector>
+#include "core/fxcrt/autorestorer.h"
#include "core/fxcrt/cfx_memorystream.h"
#include "core/fxcrt/cfx_widetextbuf.h"
#include "core/fxcrt/fx_codepage.h"
@@ -768,6 +769,12 @@ CXFA_Node* CXFA_DocumentParser::NormalLoader(CXFA_Node* pXFANode,
CFX_XMLNode* pXMLDoc,
XFA_PacketType ePacketID,
bool bUseAttribute) {
+ constexpr const unsigned long kMaxExecuteRecursion = 1000;
+ if (m_ExecuteRecursionDepth > kMaxExecuteRecursion)
+ return nullptr;
+ AutoRestorer<unsigned long> restorer(&m_ExecuteRecursionDepth);
+ ++m_ExecuteRecursionDepth;
+
bool bOneOfPropertyFound = false;
for (CFX_XMLNode* pXMLChild = pXMLDoc->GetFirstChild(); pXMLChild;
pXMLChild = pXMLChild->GetNextSibling()) {
diff --git a/xfa/fxfa/parser/cxfa_document_parser.h b/xfa/fxfa/parser/cxfa_document_parser.h
index 04ed5abb15..4e75db935a 100644
--- a/xfa/fxfa/parser/cxfa_document_parser.h
+++ b/xfa/fxfa/parser/cxfa_document_parser.h
@@ -75,6 +75,7 @@ class CXFA_DocumentParser {
std::unique_ptr<CFX_XMLDocument> xml_doc_;
// TODO(dsinclair): Figure out who owns this.
CXFA_Node* m_pRootNode = nullptr;
+ unsigned long m_ExecuteRecursionDepth = 0;
};
#endif // XFA_FXFA_PARSER_CXFA_DOCUMENT_PARSER_H_