From 4eeef1d776ce7368063f9a7698cfa736821d4186 Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Thu, 23 Apr 2015 10:12:19 -0700 Subject: Fix segmentation fault 'denial of service condition' BUG=467392 R=thestig@chromium.org, tsepez@chromium.org Review URL: https://codereview.chromium.org/1064713008 --- core/include/fpdfapi/fpdf_objects.h | 50 +++++++++++----------- .../fpdfapi/fpdf_parser/fpdf_parser_objects.cpp | 7 +++ 2 files changed, 32 insertions(+), 25 deletions(-) diff --git a/core/include/fpdfapi/fpdf_objects.h b/core/include/fpdfapi/fpdf_objects.h index 0315465367..b3980a4f0f 100644 --- a/core/include/fpdfapi/fpdf_objects.h +++ b/core/include/fpdfapi/fpdf_objects.h @@ -39,12 +39,12 @@ class CPDF_Object { public: - int GetType() const + int GetType() const { return m_Type; } - FX_DWORD GetObjNum() const + FX_DWORD GetObjNum() const { return m_ObjNum; } @@ -54,51 +54,51 @@ public: return m_GenNum; } - FX_BOOL IsIdentical(CPDF_Object* pObj) const; + FX_BOOL IsIdentical(CPDF_Object* pObj) const; - CPDF_Object* Clone(FX_BOOL bDirect = FALSE) const; + CPDF_Object* Clone(FX_BOOL bDirect = FALSE) const; - CPDF_Object* CloneRef(CPDF_IndirectObjects* pObjs) const; + CPDF_Object* CloneRef(CPDF_IndirectObjects* pObjs) const; - CPDF_Object* GetDirect() const; + CPDF_Object* GetDirect() const; - void Release(); + void Release(); - CFX_ByteString GetString() const; - - CFX_ByteStringC GetConstString() const; + CFX_ByteString GetString() const; - CFX_WideString GetUnicodeText(CFX_CharMap* pCharMap = NULL) const; + CFX_ByteStringC GetConstString() const; - FX_FLOAT GetNumber() const; + CFX_WideString GetUnicodeText(CFX_CharMap* pCharMap = NULL) const; + FX_FLOAT GetNumber() const; - FX_FLOAT GetNumber16() const; + FX_FLOAT GetNumber16() const; - int GetInteger() const; + int GetInteger() const; - CPDF_Dictionary* GetDict() const; + CPDF_Dictionary* GetDict() const; - CPDF_Array* GetArray() const; + CPDF_Array* GetArray() const; - void SetString(const CFX_ByteString& str); + void SetString(const CFX_ByteString& str); - void SetUnicodeText(FX_LPCWSTR pUnicodes, int len = -1); + void SetUnicodeText(FX_LPCWSTR pUnicodes, int len = -1); - int GetDirectType() const; + int GetDirectType() const; - FX_BOOL IsModified() const + FX_BOOL IsModified() const { return FALSE; } protected: CPDF_Object(FX_DWORD type) : m_Type(type), m_ObjNum(0), m_GenNum(0) { } ~CPDF_Object() { } + void Destroy(); - void Destroy(); - - FX_DWORD m_Type; - FX_DWORD m_ObjNum; - FX_DWORD m_GenNum; + static const int OBJECT_REF_MAX_DEPTH = 128; + static int s_nCurRefDepth; + FX_DWORD m_Type; + FX_DWORD m_ObjNum; + FX_DWORD m_GenNum; friend class CPDF_IndirectObjects; friend class CPDF_Parser; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp index db3d382a1f..912af297f5 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp @@ -7,6 +7,9 @@ #include "../../../include/fpdfapi/fpdf_parser.h" #include "../../../include/fxcrt/fx_string.h" +//static +int CPDF_Object::s_nCurRefDepth = 0; + void CPDF_Object::Release() { if (m_ObjNum) { @@ -107,6 +110,10 @@ FX_FLOAT CPDF_Object::GetNumber16() const } int CPDF_Object::GetInteger() const { + CFX_AutoRestorer restorer(&s_nCurRefDepth); + if (++s_nCurRefDepth > OBJECT_REF_MAX_DEPTH) { + return 0; + } switch (m_Type) { case PDFOBJ_BOOLEAN: return ((CPDF_Boolean*)this)->m_bValue; -- cgit v1.2.3