From e819c2057ffdea90fef40d5801aec22ecd8571cd Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Fri, 3 Aug 2018 19:45:26 +0000
Subject: Make CFX_XMLParser less permissive

Currently the parser will accept arbitrary garbage before the first
element begins. This is causing issues with ClusterFuzz since it
generates a lot of trash inputs which take a long time to parse
inspite of being invalid.

This CL adds in a check of how deep the parse is when dealing with
text, and if it is at the top level scope, then only accept the
beginning of the root node.

BUG=chromium:863098

Change-Id: Ie45114ecf488f7e8a68a120d153033c7089d5cdc
Reviewed-on: https://pdfium-review.googlesource.com/39470
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fxcrt/xml/cfx_xmlparser.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/fxcrt/xml/cfx_xmlparser.cpp b/core/fxcrt/xml/cfx_xmlparser.cpp
index 094daac889..115b3e7e92 100644
--- a/core/fxcrt/xml/cfx_xmlparser.cpp
+++ b/core/fxcrt/xml/cfx_xmlparser.cpp
@@ -92,7 +92,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) {
 
   FX_SAFE_SIZE_T alloc_size_safe = m_iXMLPlaneSize;
   alloc_size_safe += 1;  // For NUL.
-  if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0)
+  if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0 ||
+      m_iXMLPlaneSize <= 0)
     return false;
 
   std::vector<wchar_t> buffer;
@@ -133,6 +134,8 @@ bool CFX_XMLParser::DoSyntaxParse(CFX_XMLDocument* doc) {
               current_parser_state = FDE_XmlSyntaxState::Node;
             }
           } else {
+            if (node_type_stack.size() <= 0 && ch && !FXSYS_iswspace(ch))
+              return false;
             ProcessTextChar(ch);
             current_buffer_idx++;
           }
-- 
cgit v1.2.3