From 6d9897b103aef10b369eb999a40c22011a8ae4f5 Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Wed, 8 Aug 2018 15:04:26 +0000 Subject: Limit size of expression list in FormCalc parser Limits the number of elements that can be added to the expressions list in the FormCalc parser. This handles cases like long strings of ! repeated, since ! is a valid identifier and identifiers are valid expression, even though it will be no-op. This is another case of something that is valid, but stupid. BUG=chromium:870385 Change-Id: I8e34ce00bcbe4499e0a45bd5dc38541793144481 Reviewed-on: https://pdfium-review.googlesource.com/39630 Reviewed-by: Henrique Nakashima Commit-Queue: Ryan Harrison --- xfa/fxfa/fm2js/cxfa_fmparser.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp index be0a31b519..0857573cdf 100644 --- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp +++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp @@ -17,6 +17,7 @@ namespace { constexpr unsigned int kMaxParseDepth = 1250; constexpr unsigned int kMaxPostExpressions = 256; +constexpr unsigned int kMaxExpressionListSize = 10000; } // namespace @@ -91,6 +92,12 @@ CXFA_FMParser::ParseExpressionList() { m_error = true; return std::vector>(); } + + if (expressions.size() >= kMaxExpressionListSize) { + m_error = true; + return std::vector>(); + } + expressions.push_back(std::move(expr)); } return expressions; -- cgit v1.2.3