From 0c01ad05afe4dbc36c6aa32a10a0f98eb677d4be Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Tue, 3 Feb 2015 16:18:19 -0800
Subject: Fix stack exhaustion in CPDF_DataAvail::HaveResourceAncestor()

BUG=https://code.google.com/p/pdfium/issues/detail?id=113
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/880043004
---
 core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'core/src')

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 29265f407f..4b80895d61 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2743,7 +2743,11 @@ public:
     }
 
     virtual void                        GetLinearizedMainXRefInfo(FX_FILESIZE *pPos, FX_DWORD *pSize)  FX_OVERRIDE;
+
 protected:
+    static const int kMaxDataAvailRecursionDepth = 64;
+    static int s_CurrentDataAvailRecursionDepth;
+
     FX_DWORD                            GetObjectSize(FX_DWORD objnum, FX_FILESIZE& offset);
     FX_BOOL                             IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePage, IFX_DownloadHints* pHints, CFX_PtrArray &ret_array);
     FX_BOOL                             CheckDocStatus(IFX_DownloadHints *pHints);
@@ -2919,6 +2923,9 @@ IPDF_DataAvail* IPDF_DataAvail::Create(IFX_FileAvail* pFileAvail, IFX_FileRead*
   return FX_NEW CPDF_DataAvail(pFileAvail, pFileRead);
 }
 
+// static
+int CPDF_DataAvail::s_CurrentDataAvailRecursionDepth = 0;
+
 CPDF_DataAvail::CPDF_DataAvail(IFX_FileAvail* pFileAvail, IFX_FileRead* pFileRead)
     : IPDF_DataAvail(pFileAvail, pFileRead)
 {
@@ -4395,6 +4402,10 @@ FX_BOOL CPDF_DataAvail::CheckLinearizedFirstPage(FX_INT32 iPage, IFX_DownloadHin
 }
 FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict)
 {
+    CFX_AutoRestorer<int> restorer(&s_CurrentDataAvailRecursionDepth);
+    if (++s_CurrentDataAvailRecursionDepth > kMaxDataAvailRecursionDepth) {
+        return FALSE;
+    }
     CPDF_Object *pParent = pDict->GetElement("Parent");
     if (!pParent) {
         return FALSE;
@@ -4407,9 +4418,8 @@ FX_BOOL CPDF_DataAvail::HaveResourceAncestor(CPDF_Dictionary *pDict)
     if (pRet) {
         m_pPageResource = pRet;
         return TRUE;
-    } else {
-        return HaveResourceAncestor(pParentDict);
     }
+    return HaveResourceAncestor(pParentDict);
 }
 FX_BOOL CPDF_DataAvail::IsPageAvail(FX_INT32 iPage, IFX_DownloadHints* pHints)
 {
-- 
cgit v1.2.3