Validate CFXJSE_FormCalcContext::Space() parameter.
Set an upper limit on the number of spaces Space() can return. Limit
corresponds to what Acrobat Reader can fit into a text box.
Bug: chromium:1277342
Change-Id: Ie695541f736a44b31ad11aab6202070cdc49bd96
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/87790
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/fxjs/xfa/cfxjse_formcalc_context.cpp b/fxjs/xfa/cfxjse_formcalc_context.cpp
index 5c75971..f5a1419 100644
--- a/fxjs/xfa/cfxjse_formcalc_context.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context.cpp
@@ -4179,7 +4179,13 @@
return;
}
+ // Maximum number of characters Acrobat can fit in a text box.
+ constexpr int kMaxCharCount = 15654908;
int count = std::max(0, ValueToInteger(info.GetIsolate(), argOne));
+ if (count > kMaxCharCount) {
+ ToFormCalcContext(pThis)->ThrowException(L"String too long.");
+ return;
+ }
std::vector<char, FxAllocAllocator<char>> space_string(count, ' ');
info.GetReturnValue().Set(
fxv8::NewStringHelper(info.GetIsolate(), ByteStringView(space_string)));
diff --git a/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp b/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
index 1241659..4014be4 100644
--- a/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
@@ -1086,6 +1086,10 @@
for (size_t i = 0; i < pdfium::size(tests); ++i)
ExecuteExpectString(tests[i].program, tests[i].result);
+
+ const char* const kErrorCases[] = {"Space(15654909)", "Space(99999999)"};
+ for (const char* error_case : kErrorCases)
+ ExecuteExpectError(error_case);
}
TEST_F(CFXJSE_FormCalcContextEmbedderTest, Str) {
