commit 5d809a2bc6bf8300a90463fdeb3c889f4cae7f1d
author Lei Zhang <thestig@chromium.org> Sat Feb 03 01:45:53 2024 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Sat Feb 03 01:45:53 2024 +0000
tree 1c4a5042c25503f6efa9c60c0311f494ddfe5f7f
parent 4c76a8ffee914f4635e38ae37297b1f49820111e

Remove limit on number of form XObjects within a form XObject

Recent bugs reports showed that this limit is being reached in
legitimate real-world PDFs. Favor rendering these correctly over trying
to stop PDFs that intentionally use up resources. As such, this CL
effectively revert CLs [1] and [2] to restore the prior behavior.

The malicious PDF can be dealt with later via some other means.

[1] https://pdfium-review.googlesource.com/108333
[2] https://pdfium-review.googlesource.com/115670

Bug: chromium:1519494,pdfium:1815
Change-Id: I5209a98817431ed12c31a0638000219074d0f9bf
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/116132
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>

core/fpdfapi/page/cpdf_contentparser.cpp

diff --git a/core/fpdfapi/page/cpdf_contentparser.cpp b/core/fpdfapi/page/cpdf_contentparser.cpp
index f1bb8a9..dce0dc5 100644
--- a/core/fpdfapi/page/cpdf_contentparser.cpp
+++ b/core/fpdfapi/page/cpdf_contentparser.cpp
@@ -200,7 +200,6 @@
 CPDF_ContentParser::Stage CPDF_ContentParser::Parse() {
   if (!m_pParser) {
     m_RecursionState.parsed_set.clear();
-    m_RecursionState.form_count = 0;
     m_pParser = std::make_unique<CPDF_StreamContentParser>(
         m_pPageObjectHolder->GetDocument(),
         m_pPageObjectHolder->GetMutablePageResources(), nullptr, nullptr,

core/fpdfapi/page/cpdf_form.h

diff --git a/core/fpdfapi/page/cpdf_form.h b/core/fpdfapi/page/cpdf_form.h
index ba0fbd4..3ced731 100644
--- a/core/fpdfapi/page/cpdf_form.h
+++ b/core/fpdfapi/page/cpdf_form.h
@@ -29,7 +29,6 @@
     ~RecursionState();
 
     std::set<const uint8_t*> parsed_set;
-    int form_count = 0;
   };
 
   // Helper method to choose the first non-null resources dictionary.

core/fpdfapi/page/cpdf_streamcontentparser.cpp

diff --git a/core/fpdfapi/page/cpdf_streamcontentparser.cpp b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
index 38fead5..51553c0 100644
--- a/core/fpdfapi/page/cpdf_streamcontentparser.cpp
+++ b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
@@ -51,9 +51,6 @@
 
 constexpr int kMaxFormLevel = 40;
 
-// Upper limit for the number of form XObjects within a form XObject.
-constexpr int kFormCountLimit = 8192;
-
 constexpr int kSingleCoordinatePair = 1;
 constexpr int kTensorCoordinatePairs = 16;
 constexpr int kCoonsCoordinatePairs = 12;
@@ -748,16 +745,7 @@
 
   const ByteString type = pXObject->GetDict()->GetByteStringFor("Subtype");
   if (type == "Form") {
-    if (m_RecursionState->form_count > kFormCountLimit) {
-      return;
-    }
-
-    const bool is_first = m_RecursionState->form_count == 0;
-    ++m_RecursionState->form_count;
     AddForm(std::move(pXObject), name);
-    if (is_first) {
-      m_RecursionState->form_count = 0;
-    }
     return;
   }