From f99882e726d4a78e1b8fecad8b478276fbdf9c86 Mon Sep 17 00:00:00 2001
From: JUN FANG <jun_fang@foxitsoftware.com>
Date: Thu, 23 Apr 2015 10:12:19 -0700
Subject: Merge to XFA: Fix segmentation fault 'denial of service condition'

BUG=467392
R=thestig@chromium.org, tsepez@chromium.org

Review URL: https://codereview.chromium.org/1064713008
---
 core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'core/src')

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index 18f06d6a14..c70e94c984 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -7,6 +7,9 @@
 #include "../../../include/fpdfapi/fpdf_parser.h"
 #include "../../../include/fxcrt/fx_string.h"
 
+//static
+int CPDF_Object::s_nCurRefDepth = 0;
+
 void CPDF_Object::Release()
 {
     if (m_ObjNum) {
@@ -107,6 +110,10 @@ FX_FLOAT CPDF_Object::GetNumber16() const
 }
 int CPDF_Object::GetInteger() const
 {
+    CFX_AutoRestorer<int> restorer(&s_nCurRefDepth);
+    if (++s_nCurRefDepth > OBJECT_REF_MAX_DEPTH) {
+        return 0;
+    }
     switch (m_Type) {
         case PDFOBJ_BOOLEAN:
             return ((CPDF_Boolean*)this)->m_bValue;
-- 
cgit v1.2.3