From 0e4e36878682e22678bb061e77d73f3a4581985c Mon Sep 17 00:00:00 2001 From: Jun Fang Date: Tue, 1 Dec 2015 12:23:42 +0800 Subject: Fix a crasher due to recursion in CXFA_WidgetAcc::ExecuteScript() BUG=pdfium:292 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1486573002 . --- xfa/include/fxfa/fxfa_widget.h | 1 + xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp | 15 +++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/xfa/include/fxfa/fxfa_widget.h b/xfa/include/fxfa/fxfa_widget.h index 634a287628..3040dafcbc 100644 --- a/xfa/include/fxfa/fxfa_widget.h +++ b/xfa/include/fxfa/fxfa_widget.h @@ -113,5 +113,6 @@ class CXFA_WidgetAcc : public CXFA_WidgetData { void StartTextLayout(FX_FLOAT& fCalcWidth, FX_FLOAT& fCalcHeight); CXFA_FFDocView* m_pDocView; CXFA_WidgetLayoutData* m_pLayoutData; + uint32_t m_nRecursionDepth; }; #endif diff --git a/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp b/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp index 34d87f44c1..285ea544ac 100644 --- a/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp +++ b/xfa/src/fxfa/src/app/xfa_ffwidgetacc.cpp @@ -175,7 +175,10 @@ class CXFA_ImageEditData : public CXFA_FieldLayoutData { int32_t m_iImageYDpi; }; CXFA_WidgetAcc::CXFA_WidgetAcc(CXFA_FFDocView* pDocView, CXFA_Node* pNode) - : CXFA_WidgetData(pNode), m_pDocView(pDocView), m_pLayoutData(NULL) {} + : CXFA_WidgetData(pNode), + m_pDocView(pDocView), + m_pLayoutData(NULL), + m_nRecursionDepth(0) {} CXFA_WidgetAcc::~CXFA_WidgetAcc() { if (m_pLayoutData) { m_pLayoutData->Release(); @@ -630,6 +633,9 @@ int32_t CXFA_WidgetAcc::ProcessValidate(int32_t iFlags) { int32_t CXFA_WidgetAcc::ExecuteScript(CXFA_Script script, CXFA_EventParam* pEventParam, FXJSE_HVALUE* pRetValue) { + static const uint32_t MAX_RECURSION_DEPTH = 2; + if (m_nRecursionDepth > MAX_RECURSION_DEPTH) + return XFA_EVENTERROR_Sucess; FXSYS_assert(pEventParam); if (!script) { return XFA_EVENTERROR_NotExist; @@ -656,9 +662,10 @@ int32_t CXFA_WidgetAcc::ExecuteScript(CXFA_Script script, pContext->SetNodesOfRunScript(&refNodes); } FXJSE_HVALUE hRetValue = FXJSE_Value_Create(pContext->GetRuntime()); - FX_BOOL bRet = FALSE; - bRet = pContext->RunScript((XFA_SCRIPTLANGTYPE)eScriptType, wsExpression, - hRetValue, m_pNode); + ++m_nRecursionDepth; + FX_BOOL bRet = pContext->RunScript((XFA_SCRIPTLANGTYPE)eScriptType, + wsExpression, hRetValue, m_pNode); + --m_nRecursionDepth; int32_t iRet = XFA_EVENTERROR_Error; if (bRet) { iRet = XFA_EVENTERROR_Sucess; -- cgit v1.2.3