Make CFX_XMLParser less permissive
Currently the parser will accept arbitrary garbage before the first
element begins. This is causing issues with ClusterFuzz since it
generates a lot of trash inputs which take a long time to parse
inspite of being invalid.
This CL adds in a check of how deep the parse is when dealing with
text, and if it is at the top level scope, then only accept the
beginning of the root node.
BUG=chromium:863098
Change-Id: Ie45114ecf488f7e8a68a120d153033c7089d5cdc
Reviewed-on: https://pdfium-review.googlesource.com/39470
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fxcrt/xml/cfx_xmlparser.cpp b/core/fxcrt/xml/cfx_xmlparser.cpp
index 094daac..115b3e7 100644
--- a/core/fxcrt/xml/cfx_xmlparser.cpp
+++ b/core/fxcrt/xml/cfx_xmlparser.cpp
@@ -92,7 +92,8 @@
FX_SAFE_SIZE_T alloc_size_safe = m_iXMLPlaneSize;
alloc_size_safe += 1; // For NUL.
- if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0)
+ if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0 ||
+ m_iXMLPlaneSize <= 0)
return false;
std::vector<wchar_t> buffer;
@@ -133,6 +134,8 @@
current_parser_state = FDE_XmlSyntaxState::Node;
}
} else {
+ if (node_type_stack.size() <= 0 && ch && !FXSYS_iswspace(ch))
+ return false;
ProcessTextChar(ch);
current_buffer_idx++;
}