Fix segmentation fault 'denial of service condition'
authorJUN FANG <jun_fang@foxitsoftware.com>
Thu, 23 Apr 2015 17:12:19 +0000 (10:12 -0700)
committerJUN FANG <jun_fang@foxitsoftware.com>
Thu, 23 Apr 2015 17:12:19 +0000 (10:12 -0700)
BUG=467392
R=thestig@chromium.org, tsepez@chromium.org

Review URL: https://codereview.chromium.org/1064713008

core/include/fpdfapi/fpdf_objects.h
core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp

index 0315465..b3980a4 100644 (file)
@@ -39,12 +39,12 @@ class CPDF_Object
 {
 public:
 
-    int                                                GetType() const
+    int                                 GetType() const
     {
         return m_Type;
     }
 
-    FX_DWORD                           GetObjNum() const
+    FX_DWORD                            GetObjNum() const
     {
         return m_ObjNum;
     }
@@ -54,51 +54,51 @@ public:
         return m_GenNum;
     }
 
-    FX_BOOL                                    IsIdentical(CPDF_Object* pObj) const;
+    FX_BOOL                             IsIdentical(CPDF_Object* pObj) const;
 
-    CPDF_Object*                       Clone(FX_BOOL bDirect = FALSE) const;
+    CPDF_Object*                        Clone(FX_BOOL bDirect = FALSE) const;
 
-    CPDF_Object*                       CloneRef(CPDF_IndirectObjects* pObjs) const;
+    CPDF_Object*                        CloneRef(CPDF_IndirectObjects* pObjs) const;
 
-    CPDF_Object*                       GetDirect() const;
+    CPDF_Object*                        GetDirect() const;
 
-    void                                       Release();
+    void                                Release();
 
-    CFX_ByteString                     GetString() const;
-
-    CFX_ByteStringC                    GetConstString() const;
+    CFX_ByteString                      GetString() const;
 
-    CFX_WideString                     GetUnicodeText(CFX_CharMap* pCharMap = NULL) const;
+    CFX_ByteStringC                     GetConstString() const;
 
-    FX_FLOAT                           GetNumber() const;
+    CFX_WideString                      GetUnicodeText(CFX_CharMap* pCharMap = NULL) const; 
+    FX_FLOAT                            GetNumber() const;
 
-    FX_FLOAT                           GetNumber16() const;
+    FX_FLOAT                            GetNumber16() const;
 
-    int                                                GetInteger() const;
+    int                                 GetInteger() const;
 
-    CPDF_Dictionary*           GetDict() const;
+    CPDF_Dictionary*                    GetDict() const;
 
-    CPDF_Array*                                GetArray() const;
+    CPDF_Array*                         GetArray() const;
 
-    void                                       SetString(const CFX_ByteString& str);
+    void                                SetString(const CFX_ByteString& str);
 
-    void                                       SetUnicodeText(FX_LPCWSTR pUnicodes, int len = -1);
+    void                                SetUnicodeText(FX_LPCWSTR pUnicodes, int len = -1);
 
-    int                                                GetDirectType() const;
+    int                                 GetDirectType() const;
 
-    FX_BOOL                                    IsModified() const
+    FX_BOOL                             IsModified() const
     {
         return FALSE;
     }
 protected:
     CPDF_Object(FX_DWORD type) : m_Type(type), m_ObjNum(0), m_GenNum(0) { }
     ~CPDF_Object() { }
+    void                                Destroy();
 
-    void                                       Destroy();
-
-    FX_DWORD                           m_Type;
-    FX_DWORD                           m_ObjNum;
-    FX_DWORD                           m_GenNum;
+    static const int                    OBJECT_REF_MAX_DEPTH = 128;
+    static int                          s_nCurRefDepth;
+    FX_DWORD                            m_Type;
+    FX_DWORD                            m_ObjNum;
+    FX_DWORD                            m_GenNum;
 
     friend class                       CPDF_IndirectObjects;
     friend class                       CPDF_Parser;
index db3d382..912af29 100644 (file)
@@ -7,6 +7,9 @@
 #include "../../../include/fpdfapi/fpdf_parser.h"
 #include "../../../include/fxcrt/fx_string.h"
 
+//static
+int CPDF_Object::s_nCurRefDepth = 0;
+
 void CPDF_Object::Release()
 {
     if (m_ObjNum) {
@@ -107,6 +110,10 @@ FX_FLOAT CPDF_Object::GetNumber16() const
 }
 int CPDF_Object::GetInteger() const
 {
+    CFX_AutoRestorer<int> restorer(&s_nCurRefDepth);
+    if (++s_nCurRefDepth > OBJECT_REF_MAX_DEPTH) {
+        return 0;
+    }
     switch (m_Type) {
         case PDFOBJ_BOOLEAN:
             return ((CPDF_Boolean*)this)->m_bValue;