From 6438c4f36da162f72e0d53e8fff45cd6687b7f5c Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Fri, 27 Jan 2017 10:05:36 -0500
Subject: Limit parsing recursion levels in CPDF_StreamParser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We currently only limit the array recursion levels. This recursion
level may also be reset when parsing. This is insufficient to protect
against stack overflows.

BUG=681920

Change-Id: I69bd0c912fb45c0e68b9b9fa961d43f0adc9bdd3
Reviewed-on: https://pdfium-review.googlesource.com/2434
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/page/cpdf_streamcontentparser.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core/fpdfapi/page/cpdf_streamcontentparser.cpp')

diff --git a/core/fpdfapi/page/cpdf_streamcontentparser.cpp b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
index 2426027976..0e78612bc9 100644
--- a/core/fpdfapi/page/cpdf_streamcontentparser.cpp
+++ b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
@@ -628,7 +628,7 @@ void CPDF_StreamContentParser::Handle_BeginImage() {
       break;
     }
     CFX_ByteString key(m_pSyntax->GetWord().Mid(1));
-    auto pObj = m_pSyntax->ReadNextObject(false, 0);
+    auto pObj = m_pSyntax->ReadNextObject(false, false, 0);
     if (!key.IsEmpty()) {
       uint32_t dwObjNum = pObj ? pObj->GetObjNum() : 0;
       if (dwObjNum)
-- 
cgit v1.2.3