Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(242)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Issue 1569343002: Fix infinite loop caused by parsing same indirect objects (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: more name change Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « core/include/fpdfapi/fpdf_parser.h ('k') | fpdfsdk/src/fpdfview_embeddertest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 PDFium Authors. All rights reserved. 1 // Copyright 2014 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6 6
7 #include "core/include/fpdfapi/fpdf_parser.h" 7 #include "core/include/fpdfapi/fpdf_parser.h"
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <memory> 10 #include <memory>
(...skipping 18 matching lines...) Expand all
29 // A limit on the maximum object number in the xref table. Theoretical limits 29 // A limit on the maximum object number in the xref table. Theoretical limits
30 // are higher, but this may be large enough in practice. 30 // are higher, but this may be large enough in practice.
31 const FX_DWORD kMaxObjectNumber = 1048576; 31 const FX_DWORD kMaxObjectNumber = 1048576;
32 32
33 struct SearchTagRecord { 33 struct SearchTagRecord {
34 const char* m_pTag; 34 const char* m_pTag;
35 FX_DWORD m_Len; 35 FX_DWORD m_Len;
36 FX_DWORD m_Offset; 36 FX_DWORD m_Offset;
37 }; 37 };
38 38
39 template <typename T>
40 class ScopedSetInsertion {
41 public:
42 ScopedSetInsertion(std::set<T>* org_set, T elem)
43 : m_Set(org_set), m_Entry(elem) {
44 m_Set->insert(m_Entry);
45 }
46 ~ScopedSetInsertion() { m_Set->erase(m_Entry); }
47
48 private:
49 std::set<T>* const m_Set;
50 const T m_Entry;
51 };
52
39 int CompareFileSize(const void* p1, const void* p2) { 53 int CompareFileSize(const void* p1, const void* p2) {
40 return *(FX_FILESIZE*)p1 - *(FX_FILESIZE*)p2; 54 return *(FX_FILESIZE*)p1 - *(FX_FILESIZE*)p2;
41 } 55 }
42 56
43 int32_t GetHeaderOffset(IFX_FileRead* pFile) { 57 int32_t GetHeaderOffset(IFX_FileRead* pFile) {
44 const FX_DWORD tag = FXDWORD_FROM_LSBFIRST(0x46445025); 58 const FX_DWORD tag = FXDWORD_FROM_LSBFIRST(0x46445025);
45 const size_t kBufSize = 4; 59 const size_t kBufSize = 4;
46 uint8_t buf[kBufSize]; 60 uint8_t buf[kBufSize];
47 int32_t offset = 0; 61 int32_t offset = 0;
48 while (offset <= 1024) { 62 while (offset <= 1024) {
(...skipping 1135 matching lines...) Expand 10 before | Expand all | Expand 10 after
1184 m_Syntax.RestorePos(SavedPos); 1198 m_Syntax.RestorePos(SavedPos);
1185 return TRUE; 1199 return TRUE;
1186 } 1200 }
1187 1201
1188 CPDF_Object* CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects* pObjList, 1202 CPDF_Object* CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects* pObjList,
1189 FX_DWORD objnum, 1203 FX_DWORD objnum,
1190 PARSE_CONTEXT* pContext) { 1204 PARSE_CONTEXT* pContext) {
1191 if (!IsValidObjectNumber(objnum)) 1205 if (!IsValidObjectNumber(objnum))
1192 return nullptr; 1206 return nullptr;
1193 1207
1208 // Prevent circular parsing the same object.
1209 if (pdfium::ContainsKey(m_ParsingObjNums, objnum))
1210 return nullptr;
1211 ScopedSetInsertion<FX_DWORD> local_insert(&m_ParsingObjNums, objnum);
1212
1194 if (m_V5Type[objnum] == 1 || m_V5Type[objnum] == 255) { 1213 if (m_V5Type[objnum] == 1 || m_V5Type[objnum] == 255) {
1195 FX_FILESIZE pos = m_ObjectInfo[objnum].pos; 1214 FX_FILESIZE pos = m_ObjectInfo[objnum].pos;
1196 if (pos <= 0) 1215 if (pos <= 0)
1197 return nullptr; 1216 return nullptr;
1198 return ParseIndirectObjectAt(pObjList, pos, objnum, pContext); 1217 return ParseIndirectObjectAt(pObjList, pos, objnum, pContext);
1199 } 1218 }
1200 if (m_V5Type[objnum] != 2) 1219 if (m_V5Type[objnum] != 2)
1201 return nullptr; 1220 return nullptr;
1202 1221
1203 CPDF_StreamAcc* pObjStream = GetObjectStream(m_ObjectInfo[objnum].pos); 1222 CPDF_StreamAcc* pObjStream = GetObjectStream(m_ObjectInfo[objnum].pos);
(...skipping 3765 matching lines...) Expand 10 before | Expand all | Expand 10 after
4969 if (!m_pLinearizedDict) 4988 if (!m_pLinearizedDict)
4970 return -1; 4989 return -1;
4971 CPDF_Array* pRange = m_pLinearizedDict->GetArray("H"); 4990 CPDF_Array* pRange = m_pLinearizedDict->GetArray("H");
4972 if (!pRange) 4991 if (!pRange)
4973 return -1; 4992 return -1;
4974 CPDF_Object* pStreamLen = pRange->GetElementValue(1); 4993 CPDF_Object* pStreamLen = pRange->GetElementValue(1);
4975 if (!pStreamLen) 4994 if (!pStreamLen)
4976 return -1; 4995 return -1;
4977 return pStreamLen->GetInteger(); 4996 return pStreamLen->GetInteger();
4978 } 4997 }
OLDNEW
« no previous file with comments | « core/include/fpdfapi/fpdf_parser.h ('k') | fpdfsdk/src/fpdfview_embeddertest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698