From 0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Tue, 3 Feb 2015 16:18:19 -0800 Subject: Fix stack exhaustion in CPDF_DataAvail::HaveResourceAncestor() BUG=https://code.google.com/p/pdfium/issues/detail?id=113 R=thestig@chromium.org Review URL: https://codereview.chromium.org/880043004 --- .../src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 14 ++++++-- fpdfsdk/src/fpdfview_embeddertest.cpp | 8 +++-- testing/resources/bug_113.in | 29 +++++++++++++++++ testing/resources/bug_113.pdf | 38 ++++++++++++++++++++++ 4 files changed, 85 insertions(+), 4 deletions(-) create mode 100644 testing/resources/bug_113.in create mode 100644 testing/resources/bug_113.pdf diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 29265f407f..4b80895d61 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -2743,7 +2743,11 @@ public: } virtual void GetLinearizedMainXRefInfo(FX_FILESIZE *pPos, FX_DWORD *pSize) FX_OVERRIDE; + protected: + static const int kMaxDataAvailRecursionDepth = 64; + static int s_CurrentDataAvailRecursionDepth; + FX_DWORD GetObjectSize(FX_DWORD objnum, FX_FILESIZE& offset); FX_BOOL IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePage, IFX_DownloadHints* pHints, CFX_PtrArray &ret_array); FX_BOOL CheckDocStatus(IFX_DownloadHints *pHints); @@ -2919,6 +2923,9 @@ IPDF_DataAvail* IPDF_DataAvail::Create(IFX_FileAvail* pFileAvail, IFX_FileRead* return FX_NEW CPDF_DataAvail(pFileAvail, pFileRead); } +// static +int CPDF_DataAvail::s_CurrentDataAvailRecursionDepth = 0; + CPDF_DataAvail::CPDF_DataAvail(IFX_FileAvail* pFileAvail, IFX_FileRead* pFileRead) : IPDF_DataAvail(pFileAvail, pFileRead) { @@ -4395,6 +4402,10 @@ FX_BOOL CPDF_DataAvail::CheckLinearizedFirstPage(FX_INT32 iPage, IFX_DownloadHin } FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict) { + CFX_AutoRestorer restorer(&s_CurrentDataAvailRecursionDepth); + if (++s_CurrentDataAvailRecursionDepth > kMaxDataAvailRecursionDepth) { + return FALSE; + } CPDF_Object *pParent = pDict->GetElement("Parent"); if (!pParent) { return FALSE; @@ -4407,9 +4418,8 @@ FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict) if (pRet) { m_pPageResource = pRet; return TRUE; - } else { - return HaveResourceAncestor(pParentDict); } + return HaveResourceAncestor(pParentDict); } FX_BOOL CPDF_DataAvail::IsPageAvail(FX_INT32 iPage, IFX_DownloadHints* pHints) { diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp index f9b611bbf6..04549741ec 100644 --- a/fpdfsdk/src/fpdfview_embeddertest.cpp +++ b/fpdfsdk/src/fpdfview_embeddertest.cpp @@ -177,11 +177,15 @@ TEST_F(FPDFViewEmbeddertest, NamedDestsByName) { } // The following tests pass if the document opens without crashing. -TEST_F(FPDFViewEmbeddertest, Crasher1) { +TEST_F(FPDFViewEmbeddertest, Crasher_113) { + EXPECT_TRUE(OpenDocument("testing/resources/bug_113.pdf")); +} + +TEST_F(FPDFViewEmbeddertest, Crasher_451830) { EXPECT_TRUE(OpenDocument("testing/resources/bug_451830.pdf")); } -TEST_F(FPDFViewEmbeddertest, Crasher2) { +TEST_F(FPDFViewEmbeddertest, Crasher_452455) { EXPECT_TRUE(OpenDocument("testing/resources/bug_452455.pdf")); FPDF_PAGE page = LoadPage(0); EXPECT_NE(nullptr, page); diff --git a/testing/resources/bug_113.in b/testing/resources/bug_113.in new file mode 100644 index 0000000000..5fc6e71744 --- /dev/null +++ b/testing/resources/bug_113.in @@ -0,0 +1,29 @@ +{{header}} +{{object 3 0}} << + /Pages 5 0 R +>> +endobj +{{object 4 0}} << +/Type /Page +/Parent 5 0 R +/Resources << +/Font <> +{{startxref}} +%%EOF diff --git a/testing/resources/bug_113.pdf b/testing/resources/bug_113.pdf new file mode 100644 index 0000000000..0a524c1b8e --- /dev/null +++ b/testing/resources/bug_113.pdf @@ -0,0 +1,38 @@ +%PDF-1.7 +% ò¤ô +3 0 obj << + /Pages 5 0 R +>> +endobj +4 0 obj << +/Type /Page +/Parent 5 0 R +/Resources << +/Font <> +startxref +298 +%%EOF -- cgit v1.2.3