Limit recursion depth for CXFA_DocumentParser::NormalLoader().
Bug: chromium:849143
Change-Id: I973bb3be6151ac3afad850533cb735c03e9f3d2c
Reviewed-on: https://pdfium-review.googlesource.com/38210
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
diff --git a/xfa/fxfa/parser/cxfa_document_parser.cpp b/xfa/fxfa/parser/cxfa_document_parser.cpp
index 599662a..8e5ff9f 100644
--- a/xfa/fxfa/parser/cxfa_document_parser.cpp
+++ b/xfa/fxfa/parser/cxfa_document_parser.cpp
@@ -9,6 +9,7 @@
#include <utility>
#include <vector>
+#include "core/fxcrt/autorestorer.h"
#include "core/fxcrt/cfx_memorystream.h"
#include "core/fxcrt/cfx_widetextbuf.h"
#include "core/fxcrt/fx_codepage.h"
@@ -768,6 +769,12 @@
CFX_XMLNode* pXMLDoc,
XFA_PacketType ePacketID,
bool bUseAttribute) {
+ constexpr const unsigned long kMaxExecuteRecursion = 1000;
+ if (m_ExecuteRecursionDepth > kMaxExecuteRecursion)
+ return nullptr;
+ AutoRestorer<unsigned long> restorer(&m_ExecuteRecursionDepth);
+ ++m_ExecuteRecursionDepth;
+
bool bOneOfPropertyFound = false;
for (CFX_XMLNode* pXMLChild = pXMLDoc->GetFirstChild(); pXMLChild;
pXMLChild = pXMLChild->GetNextSibling()) {
diff --git a/xfa/fxfa/parser/cxfa_document_parser.h b/xfa/fxfa/parser/cxfa_document_parser.h
index 04ed5ab..4e75db9 100644
--- a/xfa/fxfa/parser/cxfa_document_parser.h
+++ b/xfa/fxfa/parser/cxfa_document_parser.h
@@ -75,6 +75,7 @@
std::unique_ptr<CFX_XMLDocument> xml_doc_;
// TODO(dsinclair): Figure out who owns this.
CXFA_Node* m_pRootNode = nullptr;
+ unsigned long m_ExecuteRecursionDepth = 0;
};
#endif // XFA_FXFA_PARSER_CXFA_DOCUMENT_PARSER_H_