From a470b5e5371d0674d06068ec38d0d3c3279e85e1 Mon Sep 17 00:00:00 2001 From: weili Date: Tue, 23 Aug 2016 22:08:37 -0700 Subject: Fix stack overflow in object Clone() functions For some complex objects such as CPDF_Dictionary, CPDF_Array, CPDF_Stream, and CPDF_Reference, Clone() could be executed with infinite recursion to cause the stack overflow. Fix this by checking already cloned objects to avoid recursion. BUG=pdfium:513 Review-Url: https://codereview.chromium.org/2250533002 --- core/fpdfapi/fpdf_parser/cpdf_stream.cpp | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'core/fpdfapi/fpdf_parser/cpdf_stream.cpp') diff --git a/core/fpdfapi/fpdf_parser/cpdf_stream.cpp b/core/fpdfapi/fpdf_parser/cpdf_stream.cpp index 7e65c25533..58b9767dfb 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_stream.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_stream.cpp @@ -9,6 +9,7 @@ #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_stream_acc.h" #include "core/fpdfapi/fpdf_parser/include/fpdf_parser_decode.h" +#include "third_party/base/stl_util.h" CPDF_Stream::CPDF_Stream(uint8_t* pData, uint32_t size, CPDF_Dictionary* pDict) : m_pDict(pDict), @@ -17,6 +18,7 @@ CPDF_Stream::CPDF_Stream(uint8_t* pData, uint32_t size, CPDF_Dictionary* pDict) m_pDataBuf(pData) {} CPDF_Stream::~CPDF_Stream() { + m_ObjNum = kInvalidObjNum; if (IsMemoryBased()) FX_Free(m_pDataBuf); @@ -71,13 +73,22 @@ void CPDF_Stream::InitStream(const uint8_t* pData, m_pDict->SetAtInteger("Length", size); } -CPDF_Object* CPDF_Stream::Clone(FX_BOOL bDirect) const { +CPDF_Object* CPDF_Stream::Clone() const { + return CloneObjectNonCyclic(false); +} + +CPDF_Object* CPDF_Stream::CloneNonCyclic( + bool bDirect, + std::set* pVisited) const { + pVisited->insert(this); CPDF_StreamAcc acc; acc.LoadAllData(this, TRUE); uint32_t streamSize = acc.GetSize(); CPDF_Dictionary* pDict = GetDict(); - if (pDict) - pDict = ToDictionary(pDict->Clone(bDirect)); + if (pDict && !pdfium::ContainsKey(*pVisited, pDict)) { + pDict = ToDictionary( + static_cast(pDict)->CloneNonCyclic(bDirect, pVisited)); + } return new CPDF_Stream(acc.DetachData(), streamSize, pDict); } -- cgit v1.2.3