From bc0ca1ec9b157ab8773c9043725c7422f7c1a57c Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Thu, 31 Aug 2017 11:57:14 -0400
Subject: Prevent duplicate parses of same data, in the same recursive descent

When parsing if there is a loop in the data being parsed, the
recursions will just keep cycling until it exhausts memory and
crashes. This CL introduces a parsed set, which a reference to is
passed down the descent. If the data being parsed at a specific stage
of the descent is already in the parsed set, then the parse returns at
that point.

BUG=chromium:759224

Change-Id: I1dca73d81020099dec03fd49aaa44cdcdf38e17e
Reviewed-on: https://pdfium-review.googlesource.com/12470
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
---
 core/fpdfapi/page/cpdf_contentparser.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'core/fpdfapi/page/cpdf_contentparser.cpp')

diff --git a/core/fpdfapi/page/cpdf_contentparser.cpp b/core/fpdfapi/page/cpdf_contentparser.cpp
index 061ec74de8..3032f2cd01 100644
--- a/core/fpdfapi/page/cpdf_contentparser.cpp
+++ b/core/fpdfapi/page/cpdf_contentparser.cpp
@@ -73,7 +73,7 @@ void CPDF_ContentParser::Start(CPDF_Form* pForm,
                                CPDF_AllStates* pGraphicStates,
                                const CFX_Matrix* pParentMatrix,
                                CPDF_Type3Char* pType3Char,
-                               int level) {
+                               std::set<const uint8_t*>* parsedSet) {
   m_pType3Char = pType3Char;
   m_pObjectHolder = pForm;
   m_bForm = true;
@@ -101,7 +101,7 @@ void CPDF_ContentParser::Start(CPDF_Form* pForm,
   m_pParser = pdfium::MakeUnique<CPDF_StreamContentParser>(
       pForm->m_pDocument.Get(), pForm->m_pPageResources.Get(),
       pForm->m_pResources.Get(), pParentMatrix, pForm, pResources, form_bbox,
-      pGraphicStates, level);
+      pGraphicStates, parsedSet);
   m_pParser->GetCurStates()->m_CTM = form_matrix;
   m_pParser->GetCurStates()->m_ParentMatrix = form_matrix;
   if (ClipPath.HasRef()) {
@@ -169,11 +169,12 @@ void CPDF_ContentParser::Continue(IFX_PauseIndicator* pPause) {
     }
     if (m_InternalStage == STAGE_PARSE) {
       if (!m_pParser) {
+        m_parsedSet = pdfium::MakeUnique<std::set<const uint8_t*>>();
         m_pParser = pdfium::MakeUnique<CPDF_StreamContentParser>(
             m_pObjectHolder->m_pDocument.Get(),
             m_pObjectHolder->m_pPageResources.Get(), nullptr, nullptr,
             m_pObjectHolder.Get(), m_pObjectHolder->m_pResources.Get(),
-            m_pObjectHolder->m_BBox, nullptr, 0);
+            m_pObjectHolder->m_BBox, nullptr, m_parsedSet.get());
         m_pParser->GetCurStates()->m_ColorState.SetDefault();
       }
       if (m_CurrentOffset >= m_Size) {
-- 
cgit v1.2.3