From 3d7b555aa843b026c9dcb6b0f855af1d358ef2ba Mon Sep 17 00:00:00 2001 From: Henrique Nakashima Date: Tue, 17 Jul 2018 20:47:27 +0000 Subject: Limit recursion depth for CXFA_DocumentParser::NormalLoader(). Bug: chromium:849143 Change-Id: I973bb3be6151ac3afad850533cb735c03e9f3d2c Reviewed-on: https://pdfium-review.googlesource.com/38210 Reviewed-by: Ryan Harrison Commit-Queue: Henrique Nakashima --- xfa/fxfa/parser/cxfa_document_parser.cpp | 7 +++++++ xfa/fxfa/parser/cxfa_document_parser.h | 1 + 2 files changed, 8 insertions(+) diff --git a/xfa/fxfa/parser/cxfa_document_parser.cpp b/xfa/fxfa/parser/cxfa_document_parser.cpp index 599662a160..8e5ff9fbde 100644 --- a/xfa/fxfa/parser/cxfa_document_parser.cpp +++ b/xfa/fxfa/parser/cxfa_document_parser.cpp @@ -9,6 +9,7 @@ #include #include +#include "core/fxcrt/autorestorer.h" #include "core/fxcrt/cfx_memorystream.h" #include "core/fxcrt/cfx_widetextbuf.h" #include "core/fxcrt/fx_codepage.h" @@ -768,6 +769,12 @@ CXFA_Node* CXFA_DocumentParser::NormalLoader(CXFA_Node* pXFANode, CFX_XMLNode* pXMLDoc, XFA_PacketType ePacketID, bool bUseAttribute) { + constexpr const unsigned long kMaxExecuteRecursion = 1000; + if (m_ExecuteRecursionDepth > kMaxExecuteRecursion) + return nullptr; + AutoRestorer restorer(&m_ExecuteRecursionDepth); + ++m_ExecuteRecursionDepth; + bool bOneOfPropertyFound = false; for (CFX_XMLNode* pXMLChild = pXMLDoc->GetFirstChild(); pXMLChild; pXMLChild = pXMLChild->GetNextSibling()) { diff --git a/xfa/fxfa/parser/cxfa_document_parser.h b/xfa/fxfa/parser/cxfa_document_parser.h index 04ed5abb15..4e75db935a 100644 --- a/xfa/fxfa/parser/cxfa_document_parser.h +++ b/xfa/fxfa/parser/cxfa_document_parser.h @@ -75,6 +75,7 @@ class CXFA_DocumentParser { std::unique_ptr xml_doc_; // TODO(dsinclair): Figure out who owns this. CXFA_Node* m_pRootNode = nullptr; + unsigned long m_ExecuteRecursionDepth = 0; }; #endif // XFA_FXFA_PARSER_CXFA_DOCUMENT_PARSER_H_ -- cgit v1.2.3