From 044b1d6f4929dd8905a259c1e134f2e582726d3b Mon Sep 17 00:00:00 2001 From: tsepez Date: Tue, 20 Sep 2016 05:56:50 -0700 Subject: Fix stack exhaustion in CPDF_PSProc::Parse() BUG=648059 Review-Url: https://codereview.chromium.org/2350013003 --- core/fpdfapi/fpdf_page/cpdf_psengine.h | 3 ++- core/fpdfapi/fpdf_page/fpdf_page_func.cpp | 10 +++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/core/fpdfapi/fpdf_page/cpdf_psengine.h b/core/fpdfapi/fpdf_page/cpdf_psengine.h index fc8badbe6d..c154eb8ac8 100644 --- a/core/fpdfapi/fpdf_page/cpdf_psengine.h +++ b/core/fpdfapi/fpdf_page/cpdf_psengine.h @@ -70,10 +70,11 @@ class CPDF_PSProc { CPDF_PSProc(); ~CPDF_PSProc(); - FX_BOOL Parse(CPDF_SimpleParser* parser); + FX_BOOL Parse(CPDF_SimpleParser* parser, int depth); FX_BOOL Execute(CPDF_PSEngine* pEngine); private: + static const int kMaxDepth = 128; std::vector> m_Operators; }; diff --git a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp index 63ab3056c7..266b2bd09f 100644 --- a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp +++ b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp @@ -139,9 +139,13 @@ FX_BOOL CPDF_PSEngine::Parse(const FX_CHAR* str, int size) { if (word != "{") { return FALSE; } - return m_MainProc.Parse(&parser); + return m_MainProc.Parse(&parser, 0); } -FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) { + +FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser, int depth) { + if (depth > kMaxDepth) + return FALSE; + while (1) { CFX_ByteStringC word = parser->GetWord(); if (word.IsEmpty()) { @@ -154,7 +158,7 @@ FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) { std::unique_ptr proc(new CPDF_PSProc); std::unique_ptr op(new CPDF_PSOP(std::move(proc))); m_Operators.push_back(std::move(op)); - if (!m_Operators.back()->GetProc()->Parse(parser)) { + if (!m_Operators.back()->GetProc()->Parse(parser, depth + 1)) { return FALSE; } } else { -- cgit v1.2.3