Limit size of expression list in FormCalc parser Limits the number of elements that can be added to the expressions list in the FormCalc parser. This handles cases like long strings of ! repeated, since ! is a valid identifier and identifiers are valid expression, even though it will be no-op. This is another case of something that is valid, but stupid. BUG=chromium:870385 Change-Id: I8e34ce00bcbe4499e0a45bd5dc38541793144481 Reviewed-on: https://pdfium-review.googlesource.com/39630 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org>

commit: 6d9897b103aef10b369eb999a40c22011a8ae4f5 [log] [tgz]
author: Ryan Harrison <rharrison@chromium.org> Wed Aug 08 15:04:26 2018 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Wed Aug 08 15:04:26 2018 +0000
tree: 5810fcece4c8e37c902a6e9ee17c9d158ccd88ec
parent: f90277e7f4bd99bba419b53341c6c7bdca478eed [diff]
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index be0a31b..0857573 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp

@@ -17,6 +17,7 @@
 
 constexpr unsigned int kMaxParseDepth = 1250;
 constexpr unsigned int kMaxPostExpressions = 256;
+constexpr unsigned int kMaxExpressionListSize = 10000;
 
 }  // namespace
 
@@ -91,6 +92,12 @@
       m_error = true;
       return std::vector<std::unique_ptr<CXFA_FMExpression>>();
     }
+
+    if (expressions.size() >= kMaxExpressionListSize) {
+      m_error = true;
+      return std::vector<std::unique_ptr<CXFA_FMExpression>>();
+    }
+
     expressions.push_back(std::move(expr));
   }
   return expressions;
commit	6d9897b103aef10b369eb999a40c22011a8ae4f5	[log] [tgz]
author	Ryan Harrison <rharrison@chromium.org>	Wed Aug 08 15:04:26 2018 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Wed Aug 08 15:04:26 2018 +0000
tree	5810fcece4c8e37c902a6e9ee17c9d158ccd88ec
parent	f90277e7f4bd99bba419b53341c6c7bdca478eed [diff]