Google Git
Sign in
pdfium / pdfium / aad3c98a9382110eb472dc574e519ab3a904de83^! / .
commitaad3c98a9382110eb472dc574e519ab3a904de83[log] [tgz]
authorLei Zhang <thestig@chromium.org>Thu Mar 21 20:26:14 2019 +0000
committerChromium commit bot <commit-bot@chromium.org>Thu Mar 21 20:26:14 2019 +0000
treed9e8fb166c1fd7ee315983b94d73345d0be6ca0f
parente092bb95280bb918886b5a6e8e5556f5c76cc3c8 [diff]
Prevent infinite loops in CJX_Object::GetMapModule{Buffer,Value}().

BUG=pdfium:1270

Change-Id: I37540e25f1dce8d5d7da21e7e087454c2a9d74af
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/52191
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/fxjs/xfa/cjx_object.cpp b/fxjs/xfa/cjx_object.cpp
index 9be9172..8f1331f 100644
--- a/fxjs/xfa/cjx_object.cpp
+++ b/fxjs/xfa/cjx_object.cpp

@@ -6,6 +6,7 @@
 
 #include "fxjs/xfa/cjx_object.h"
 
+#include <set>
 #include <tuple>
 
 #include "core/fxcrt/fx_extension.h"
@@ -892,8 +893,12 @@
 }
 
 Optional<void*> CJX_Object::GetMapModuleValue(void* pKey) const {
+  std::set<const CXFA_Node*> visited;
   for (const CXFA_Node* pNode = ToNode(GetXFAObject()); pNode;
        pNode = pNode->GetTemplateNodeIfExists()) {
+    if (!visited.insert(pNode).second)
+      break;
+
     XFA_MAPMODULEDATA* pModule = pNode->JSObject()->GetMapModuleData();
     if (pModule) {
       auto it = pModule->m_ValueMap.find(pKey);
@@ -948,9 +953,13 @@
 bool CJX_Object::GetMapModuleBuffer(void* pKey,
                                     void** pValue,
                                     int32_t* pBytes) const {
+  std::set<const CXFA_Node*> visited;
   XFA_MAPDATABLOCK* pBuffer = nullptr;
   for (const CXFA_Node* pNode = ToNode(GetXFAObject()); pNode;
        pNode = pNode->GetTemplateNodeIfExists()) {
+    if (!visited.insert(pNode).second)
+      break;
+
     XFA_MAPMODULEDATA* pModule = pNode->JSObject()->GetMapModuleData();
     if (pModule) {
       auto it = pModule->m_BufferMap.find(pKey);

diff --git a/testing/resources/pixel/xfa_specific/bug_1270.in b/testing/resources/pixel/xfa_specific/bug_1270.in
new file mode 100644
index 0000000..abf318e
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1270.in

@@ -0,0 +1,18 @@
+{{header}}
+{{include ../../xfa_catalog_1_0.fragment}}
+{{include ../../xfa_object_single_2_0.fragment}}
+{{object 3 0}} <<
+  {{streamlen}}
+>>
+stream
+<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
+<template>
+<subform use="$">
+<field>
+endstream
+endobj
+{{include ../../xfa_pages_8_0.fragment}}
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

diff --git a/testing/resources/pixel/xfa_specific/bug_1270_expected.pdf.0.png b/testing/resources/pixel/xfa_specific/bug_1270_expected.pdf.0.png
new file mode 100644
index 0000000..08c11b0
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1270_expected.pdf.0.png
Binary files differ