From 6d9897b103aef10b369eb999a40c22011a8ae4f5 Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Wed, 8 Aug 2018 15:04:26 +0000
Subject: Limit size of expression list in FormCalc parser

Limits the number of elements that can be added to the expressions
list in the FormCalc parser. This handles cases like long strings of !
repeated, since ! is a valid identifier and identifiers are valid
expression, even though it will be no-op. This is another case of
something that is valid, but stupid.

BUG=chromium:870385

Change-Id: I8e34ce00bcbe4499e0a45bd5dc38541793144481
Reviewed-on: https://pdfium-review.googlesource.com/39630
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
---
 xfa/fxfa/fm2js/cxfa_fmparser.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index be0a31b519..0857573cdf 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -17,6 +17,7 @@ namespace {
 
 constexpr unsigned int kMaxParseDepth = 1250;
 constexpr unsigned int kMaxPostExpressions = 256;
+constexpr unsigned int kMaxExpressionListSize = 10000;
 
 }  // namespace
 
@@ -91,6 +92,12 @@ CXFA_FMParser::ParseExpressionList() {
       m_error = true;
       return std::vector<std::unique_ptr<CXFA_FMExpression>>();
     }
+
+    if (expressions.size() >= kMaxExpressionListSize) {
+      m_error = true;
+      return std::vector<std::unique_ptr<CXFA_FMExpression>>();
+    }
+
     expressions.push_back(std::move(expr));
   }
   return expressions;
-- 
cgit v1.2.3