From a470b5e5371d0674d06068ec38d0d3c3279e85e1 Mon Sep 17 00:00:00 2001
From: weili <weili@chromium.org>
Date: Tue, 23 Aug 2016 22:08:37 -0700
Subject: Fix stack overflow in object Clone() functions

For some complex objects such as CPDF_Dictionary, CPDF_Array,
CPDF_Stream, and CPDF_Reference, Clone() could be executed with
infinite recursion to cause the stack overflow. Fix this by
checking already cloned objects to avoid recursion.

BUG=pdfium:513

Review-Url: https://codereview.chromium.org/2250533002
---
 core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp')

diff --git a/core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp b/core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp
index 78b88a1b2f..8fef074d4b 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp
@@ -18,6 +18,7 @@
 CPDF_Dictionary::CPDF_Dictionary() {}
 
 CPDF_Dictionary::~CPDF_Dictionary() {
+  m_ObjNum = kInvalidObjNum;
   for (const auto& it : m_Map)
     it.second->Release();
 }
@@ -44,10 +45,22 @@ const CPDF_Dictionary* CPDF_Dictionary::AsDictionary() const {
   return this;
 }
 
-CPDF_Object* CPDF_Dictionary::Clone(FX_BOOL bDirect) const {
+CPDF_Object* CPDF_Dictionary::Clone() const {
+  return CloneObjectNonCyclic(false);
+}
+
+CPDF_Object* CPDF_Dictionary::CloneNonCyclic(
+    bool bDirect,
+    std::set<const CPDF_Object*>* pVisited) const {
+  pVisited->insert(this);
   CPDF_Dictionary* pCopy = new CPDF_Dictionary();
-  for (const auto& it : *this)
-    pCopy->m_Map.insert(std::make_pair(it.first, it.second->Clone(bDirect)));
+  for (const auto& it : *this) {
+    CPDF_Object* value = it.second;
+    if (!pdfium::ContainsKey(*pVisited, value)) {
+      pCopy->m_Map.insert(
+          std::make_pair(it.first, value->CloneNonCyclic(bDirect, pVisited)));
+    }
+  }
   return pCopy;
 }
 
-- 
cgit v1.2.3