Exit infinite loops for cross reference loading

core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Index: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index c6e48e74a2cc9ba20a8177a4ef6cf26fb4deac9a..bf011fdfc232be70aa4e1bfb3cfe2e8a080ebf28 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -377,12 +377,15 @@ FX_BOOL CPDF_Parser::LoadAllCrossRefV4(FX_FILESIZE xrefpos) {
   if (!CheckDirectType(m_pTrailer, "Prev", PDFOBJ_NUMBER)) {
     return FALSE;
   }
-  FX_FILESIZE newxrefpos = GetDirectInteger(m_pTrailer, "Prev");
-  if (newxrefpos == xrefpos) {
-    return FALSE;
-  }
-  xrefpos = newxrefpos;
+
+  std::set<FX_FILESIZE> seen_xrefpos;
+  seen_xrefpos.insert(xrefpos);
+  xrefpos = GetDirectInteger(m_pTrailer, "Prev");
   while (xrefpos) {
+    // Check for circular references.
+    if (seen_xrefpos.find(xrefpos) != seen_xrefpos.end())

[Lei Zhang, 2016/01/05 03:30:27]

I added pdfium::ContainsKey() recently. You can use that here.

[Wei Li, 2016/01/05 19:52:00]

Done.

+      return FALSE;
+    seen_xrefpos.insert(xrefpos);
     CrossRefList.InsertAt(0, xrefpos);
     LoadCrossRefV4(xrefpos, 0, TRUE);
     std::unique_ptr<CPDF_Dictionary, ReleaseDeleter<CPDF_Dictionary>> pDict(
@@ -392,12 +395,8 @@ FX_BOOL CPDF_Parser::LoadAllCrossRefV4(FX_FILESIZE xrefpos) {
 
     if (!CheckDirectType(pDict.get(), "Prev", PDFOBJ_NUMBER))
       return FALSE;
+    xrefpos = GetDirectInteger(pDict.get(), "Prev");
 
-    newxrefpos = GetDirectInteger(pDict.get(), "Prev");
-    if (newxrefpos == xrefpos)
-      return FALSE;
-
-    xrefpos = newxrefpos;
     XRefStreamList.InsertAt(0, pDict->GetInteger("XRefStm"));
     m_Trailers.Add(pDict.release());
   }
@@ -423,17 +422,28 @@ FX_BOOL CPDF_Parser::LoadLinearizedAllCrossRefV4(FX_FILESIZE xrefpos,
   CFX_FileSizeArray CrossRefList, XRefStreamList;
   CrossRefList.Add(xrefpos);
   XRefStreamList.Add(GetDirectInteger(m_pTrailer, "XRefStm"));
+
+  std::set<FX_FILESIZE> seen_xrefpos;
+  seen_xrefpos.insert(xrefpos);
   xrefpos = GetDirectInteger(m_pTrailer, "Prev");
   while (xrefpos) {
+    // Check for circular references.
+    if (seen_xrefpos.find(xrefpos) != seen_xrefpos.end())

[Lei Zhang, 2016/01/05 03:30:27]

Ditto.

[Wei Li, 2016/01/05 19:52:00]

Done.

+      return FALSE;
+    seen_xrefpos.insert(xrefpos);
     CrossRefList.InsertAt(0, xrefpos);
     LoadCrossRefV4(xrefpos, 0, TRUE);
-    CPDF_Dictionary* pDict = LoadTrailerV4();
+    std::unique_ptr<CPDF_Dictionary, ReleaseDeleter<CPDF_Dictionary>> pDict(
+        LoadTrailerV4());
     if (!pDict) {
       return FALSE;
     }
-    xrefpos = GetDirectInteger(pDict, "Prev");
+    if (!CheckDirectType(pDict.get(), "Prev", PDFOBJ_NUMBER))

[Lei Zhang, 2016/01/05 03:30:27]

Can you just see if GetDirectInteger() returns 0 instead? If yes, change 396 as
well.

[Wei Li, 2016/01/05 19:52:00]

Yes, GetDirectInteger() will return 0. The loading will stop there. So I removed
the type checking. This behavior is a little different from the previous one
which aborts the function and the caller may trigger a cross reference rebuild
immediately. This change will be consistent with v5 loading logic. It takes the
cross reference loading as much as it can. 

+      return FALSE;
+    xrefpos = GetDirectInteger(pDict.get(), "Prev");
+
     XRefStreamList.InsertAt(0, pDict->GetInteger("XRefStm"));
-    m_Trailers.Add(pDict);
+    m_Trailers.Add(pDict.release());
   }
   for (int32_t i = 1; i < CrossRefList.GetSize(); i++)
     if (!LoadCrossRefV4(CrossRefList[i], XRefStreamList[i], FALSE)) {