From 46f79aaad8330857e58cfd3928fdf91678112ae0 Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Thu, 15 Feb 2018 15:09:45 +0000 Subject: Add limit to number of formcalc expressions Currently it's possible to create a formcalc script which creates a large number of expressions. This will eventually cause stack exhaustion as we try to allocate the needed expression objects. This CL limits the number of parsed expressions in the PostExpression section in order to keep from failing due to stack overflow. Bug: chromium:799721 Change-Id: I69fca35db7f75ef97aec21c22fc06d926dfe2df6 Reviewed-on: https://pdfium-review.googlesource.com/26870 Commit-Queue: Ryan Harrison Reviewed-by: Ryan Harrison --- xfa/fxfa/fm2js/cxfa_fmparser.cpp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp index 644fdf2a82..e634f97013 100644 --- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp +++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp @@ -15,8 +15,9 @@ namespace { -const unsigned int kMaxAssignmentChainLength = 12; -const unsigned int kMaxParseDepth = 1250; +constexpr unsigned int kMaxAssignmentChainLength = 12; +constexpr unsigned int kMaxParseDepth = 1250; +constexpr unsigned int kMaxPostExpressions = 16384; } // namespace @@ -669,7 +670,15 @@ std::unique_ptr CXFA_FMParser::ParsePostExpression( return nullptr; uint32_t line = m_token->m_line_num; + size_t expr_count = 0; while (1) { + ++expr_count; + // Limit the number of expressions allowed in the post expression statement. + // If we don't do this then its possible to generate a stack overflow + // by having a very large number of things like .. expressions. + if (expr_count > kMaxPostExpressions) + return nullptr; + switch (m_token->m_type) { case TOKlparen: { if (!NextToken()) -- cgit v1.2.3