From 7831f57f04ad3f581222b0a23eeb736601f98e96 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Fri, 28 Apr 2017 11:51:08 -0700 Subject: Fix stack overflow in CFieldTree::Node::GetFieldInternal(). Limit recursion depth, just like in CountFieldsInternal(). BUG=chromium:716523 Change-Id: I70c052347a1d8fb9a4dbc065a1c9af55c02818f2 Reviewed-on: https://pdfium-review.googlesource.com/4612 Reviewed-by: Tom Sepez Commit-Queue: Lei Zhang --- core/fpdfdoc/cpdf_interform.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/core/fpdfdoc/cpdf_interform.cpp b/core/fpdfdoc/cpdf_interform.cpp index f498617b27..5fbb3957ab 100644 --- a/core/fpdfdoc/cpdf_interform.cpp +++ b/core/fpdfdoc/cpdf_interform.cpp @@ -408,7 +408,7 @@ class CFieldTree { CPDF_FormField* GetFieldAtIndex(size_t index) { size_t nFieldsToGo = index; - return GetFieldInternal(&nFieldsToGo); + return GetFieldInternal(&nFieldsToGo, 0); } size_t CountFields() const { return CountFieldsInternal(0); } @@ -422,7 +422,10 @@ class CFieldTree { const CFX_WideString& GetShortName() const { return m_ShortName; } private: - CPDF_FormField* GetFieldInternal(size_t* pFieldsToGo) { + CPDF_FormField* GetFieldInternal(size_t* pFieldsToGo, int nLevel) { + if (nLevel > nMaxRecursion) + return nullptr; + if (m_pField) { if (*pFieldsToGo == 0) return m_pField.get(); @@ -430,7 +433,8 @@ class CFieldTree { --*pFieldsToGo; } for (size_t i = 0; i < GetChildrenCount(); ++i) { - CPDF_FormField* pField = GetChildAt(i)->GetFieldInternal(pFieldsToGo); + CPDF_FormField* pField = + GetChildAt(i)->GetFieldInternal(pFieldsToGo, nLevel + 1); if (pField) return pField; } -- cgit v1.2.3