From bc0ca1ec9b157ab8773c9043725c7422f7c1a57c Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Thu, 31 Aug 2017 11:57:14 -0400 Subject: Prevent duplicate parses of same data, in the same recursive descent When parsing if there is a loop in the data being parsed, the recursions will just keep cycling until it exhausts memory and crashes. This CL introduces a parsed set, which a reference to is passed down the descent. If the data being parsed at a specific stage of the descent is already in the parsed set, then the parse returns at that point. BUG=chromium:759224 Change-Id: I1dca73d81020099dec03fd49aaa44cdcdf38e17e Reviewed-on: https://pdfium-review.googlesource.com/12470 Reviewed-by: Tom Sepez Commit-Queue: Ryan Harrison --- core/fpdfapi/page/cpdf_contentparser.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'core/fpdfapi/page/cpdf_contentparser.h') diff --git a/core/fpdfapi/page/cpdf_contentparser.h b/core/fpdfapi/page/cpdf_contentparser.h index 1ae6efe2d7..b201f95df8 100644 --- a/core/fpdfapi/page/cpdf_contentparser.h +++ b/core/fpdfapi/page/cpdf_contentparser.h @@ -8,6 +8,7 @@ #define CORE_FPDFAPI_PAGE_CPDF_CONTENTPARSER_H_ #include +#include #include #include "core/fpdfapi/page/cpdf_pageobjectholder.h" @@ -37,7 +38,7 @@ class CPDF_ContentParser { CPDF_AllStates* pGraphicStates, const CFX_Matrix* pParentMatrix, CPDF_Type3Char* pType3Char, - int level); + std::set* parsedSet); void Continue(IFX_PauseIndicator* pPause); private: @@ -58,6 +59,9 @@ class CPDF_ContentParser { uint8_t* m_pData; uint32_t m_Size; uint32_t m_CurrentOffset; + std::unique_ptr> m_parsedSet; + // m_pParser has a reference to m_parsedSet, so must be below and thus + // destroyed first. std::unique_ptr m_pParser; }; -- cgit v1.2.3