From e819c2057ffdea90fef40d5801aec22ecd8571cd Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Fri, 3 Aug 2018 19:45:26 +0000 Subject: Make CFX_XMLParser less permissive Currently the parser will accept arbitrary garbage before the first element begins. This is causing issues with ClusterFuzz since it generates a lot of trash inputs which take a long time to parse inspite of being invalid. This CL adds in a check of how deep the parse is when dealing with text, and if it is at the top level scope, then only accept the beginning of the root node. BUG=chromium:863098 Change-Id: Ie45114ecf488f7e8a68a120d153033c7089d5cdc Reviewed-on: https://pdfium-review.googlesource.com/39470 Commit-Queue: Ryan Harrison Reviewed-by: Henrique Nakashima Reviewed-by: Tom Sepez --- core/fxcrt/xml/cfx_xmlparser.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/fxcrt/xml/cfx_xmlparser.cpp b/core/fxcrt/xml/cfx_xmlparser.cpp index 094daac889..115b3e7e92 100644 --- a/core/fxcrt/xml/cfx_xmlparser.cpp +++ b/core/fxcrt/xml/cfx_xmlparser.cpp @@ -92,7 +92,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) { FX_SAFE_SIZE_T alloc_size_safe = m_iXMLPlaneSize; alloc_size_safe += 1; // For NUL. - if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0) + if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0 || + m_iXMLPlaneSize <= 0) return false; std::vector buffer; @@ -133,6 +134,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) { current_parser_state = FDE_XmlSyntaxState::Node; } } else { + if (node_type_stack.size() <= 0 && ch && !FXSYS_iswspace(ch)) + return false; ProcessTextChar(ch); current_buffer_idx++; } -- cgit v1.2.3