From 4fe8ea5bba4bd505b5bd35395c68799771b0bd7d Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Wed, 20 Sep 2017 11:48:58 -0400
Subject: Add in missed parse recursion depth checks

Some of the calls in CXFA_FMParser on the prase recursion had been
missed when adding in the parse depth limiting logic. The fuzzers
found them.

BUG=chromium:759295

Change-Id: Iad54beb356c4c555908797d4b58a42549c006e9e
Reviewed-on: https://pdfium-review.googlesource.com/14510
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
---
 xfa/fxfa/fm2js/cxfa_fmparser.cpp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index 16538503de..dde994318c 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -661,6 +661,10 @@ CXFA_FMParser::ParsePrimaryExpression() {
 
 std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParsePostExpression(
     std::unique_ptr<CXFA_FMSimpleExpression> expr) {
+  CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+  if (HasError() || !IncrementParseDepthAndCheck())
+    return nullptr;
+
   if (HasError())
     return nullptr;
 
@@ -933,6 +937,10 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParseParenExpression() {
 }
 
 std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseBlockExpression() {
+  CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+  if (HasError() || !IncrementParseDepthAndCheck())
+    return nullptr;
+
   if (HasError())
     return nullptr;
 
@@ -1065,6 +1073,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseWhileExpression() {
 
 std::unique_ptr<CXFA_FMSimpleExpression>
 CXFA_FMParser::ParseSubassignmentInForExpression() {
+  CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+  if (HasError() || !IncrementParseDepthAndCheck())
+    return nullptr;
+
   if (HasError())
     return nullptr;
 
@@ -1148,6 +1160,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForExpression() {
 }
 
 std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForeachExpression() {
+  CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+  if (HasError() || !IncrementParseDepthAndCheck())
+    return nullptr;
+
   if (HasError())
     return nullptr;
 
@@ -1193,6 +1209,10 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseForeachExpression() {
 }
 
 std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseDoExpression() {
+  CFX_AutoRestorer<unsigned long> restorer(&m_parse_depth);
+  if (HasError() || !IncrementParseDepthAndCheck())
+    return nullptr;
+
   if (HasError())
     return nullptr;
 
-- 
cgit v1.2.3