From 5c97fd86374a1638710870a8603438f6d6fa11d1 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Tue, 11 Apr 2017 11:05:56 -0400 Subject: Avoid long assignment chain in FM parser MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We only parse FM right before translating to JS. Our current implementation of assignment will duplicate to first expression's ToJavascript. So having a long chain of assignments will result in a huge ToJavascript. Bug: chromium:665087 Change-Id: I542371b5787113be2f2d686153ed0a6c48191bab Reviewed-on: https://pdfium-review.googlesource.com/4030 Commit-Queue: Nicolás Peña Reviewed-by: dsinclair --- xfa/fxfa/fm2js/xfa_error.cpp | 2 ++ xfa/fxfa/fm2js/xfa_error.h | 1 + xfa/fxfa/fm2js/xfa_fmparse.cpp | 12 ++++++++++++ 3 files changed, 15 insertions(+) diff --git a/xfa/fxfa/fm2js/xfa_error.cpp b/xfa/fxfa/fm2js/xfa_error.cpp index 9ca886954a..1d31ce6958 100644 --- a/xfa/fxfa/fm2js/xfa_error.cpp +++ b/xfa/fxfa/fm2js/xfa_error.cpp @@ -15,3 +15,5 @@ const wchar_t kFMErrExpectedEndIf[] = L"expected 'endif' instead of '%s'"; const wchar_t kFMErrUnexpectedExpression[] = L"unexpected expression '%s'"; const wchar_t kFMErrExpectedNonEmptyExpression[] = L"expected non-empty expression"; +const wchar_t kFMErrLongAssignmentChain[] = + L"long assignment chains are unsupported"; diff --git a/xfa/fxfa/fm2js/xfa_error.h b/xfa/fxfa/fm2js/xfa_error.h index d6bb72bb34..b6621da440 100644 --- a/xfa/fxfa/fm2js/xfa_error.h +++ b/xfa/fxfa/fm2js/xfa_error.h @@ -17,6 +17,7 @@ extern const wchar_t kFMErrExpectedToken[]; extern const wchar_t kFMErrExpectedEndIf[]; extern const wchar_t kFMErrUnexpectedExpression[]; extern const wchar_t kFMErrExpectedNonEmptyExpression[]; +extern const wchar_t kFMErrLongAssignmentChain[]; class CXFA_FMErrorInfo { public: diff --git a/xfa/fxfa/fm2js/xfa_fmparse.cpp b/xfa/fxfa/fm2js/xfa_fmparse.cpp index 09e8f36298..c1f609315b 100644 --- a/xfa/fxfa/fm2js/xfa_fmparse.cpp +++ b/xfa/fxfa/fm2js/xfa_fmparse.cpp @@ -12,6 +12,12 @@ #include "third_party/base/ptr_util.h" +namespace { + +const int kMaxAssignmentChainLength = 12; + +} // namespace + CXFA_FMParse::CXFA_FMParse(const CFX_WideStringC& wsFormcalc, CXFA_FMErrorInfo* pErrorInfo) : m_pToken(nullptr), m_pErrorInfo(pErrorInfo) { @@ -208,9 +214,12 @@ std::unique_ptr CXFA_FMParse::ParseVarExpression() { std::unique_ptr CXFA_FMParse::ParseSimpleExpression() { uint32_t line = m_pToken->m_uLinenum; std::unique_ptr pExp1 = ParseLogicalOrExpression(); + int level = 1; while (m_pToken->m_type == TOKassign) { NextToken(); std::unique_ptr pExp2 = ParseLogicalOrExpression(); + if (level++ == kMaxAssignmentChainLength) + Error(m_pToken->m_uLinenum, kFMErrLongAssignmentChain); if (m_pErrorInfo->message.IsEmpty()) { pExp1 = pdfium::MakeUnique( line, TOKassign, std::move(pExp1), std::move(pExp2)); @@ -776,9 +785,12 @@ std::unique_ptr CXFA_FMParse::ParseParenExpression() { uint32_t line = m_pToken->m_uLinenum; std::unique_ptr pExp1 = ParseLogicalOrExpression(); + int level = 1; while (m_pToken->m_type == TOKassign) { NextToken(); std::unique_ptr pExp2 = ParseLogicalOrExpression(); + if (level++ == kMaxAssignmentChainLength) + Error(m_pToken->m_uLinenum, kFMErrLongAssignmentChain); if (m_pErrorInfo->message.IsEmpty()) { pExp1 = pdfium::MakeUnique( line, TOKassign, std::move(pExp1), std::move(pExp2)); -- cgit v1.2.3