commit 044b1d6f4929dd8905a259c1e134f2e582726d3b
author tsepez <tsepez@chromium.org> Tue Sep 20 05:56:50 2016 -0700
committer Commit bot <commit-bot@chromium.org> Tue Sep 20 05:56:50 2016 -0700
tree 09f2d32ff9d80e2a8dfba562ef489417c11cfeaa
parent 81e1e3fd2d33478733e47bd007b76fac1a663e74

Fix stack exhaustion in CPDF_PSProc::Parse()

BUG=648059

Review-Url: https://codereview.chromium.org/2350013003

core/fpdfapi/fpdf_page/cpdf_psengine.h

diff --git a/core/fpdfapi/fpdf_page/cpdf_psengine.h b/core/fpdfapi/fpdf_page/cpdf_psengine.h
index fc8badb..c154eb8 100644
--- a/core/fpdfapi/fpdf_page/cpdf_psengine.h
+++ b/core/fpdfapi/fpdf_page/cpdf_psengine.h
@@ -70,10 +70,11 @@
   CPDF_PSProc();
   ~CPDF_PSProc();
 
-  FX_BOOL Parse(CPDF_SimpleParser* parser);
+  FX_BOOL Parse(CPDF_SimpleParser* parser, int depth);
   FX_BOOL Execute(CPDF_PSEngine* pEngine);
 
  private:
+  static const int kMaxDepth = 128;
   std::vector<std::unique_ptr<CPDF_PSOP>> m_Operators;
 };
 

core/fpdfapi/fpdf_page/fpdf_page_func.cpp

diff --git a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp
index 63ab305..266b2bd 100644
--- a/core/fpdfapi/fpdf_page/fpdf_page_func.cpp
+++ b/core/fpdfapi/fpdf_page/fpdf_page_func.cpp
@@ -139,9 +139,13 @@
   if (word != "{") {
     return FALSE;
   }
-  return m_MainProc.Parse(&parser);
+  return m_MainProc.Parse(&parser, 0);
 }
-FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser) {
+
+FX_BOOL CPDF_PSProc::Parse(CPDF_SimpleParser* parser, int depth) {
+  if (depth > kMaxDepth)
+    return FALSE;
+
   while (1) {
     CFX_ByteStringC word = parser->GetWord();
     if (word.IsEmpty()) {
@@ -154,7 +158,7 @@
       std::unique_ptr<CPDF_PSProc> proc(new CPDF_PSProc);
       std::unique_ptr<CPDF_PSOP> op(new CPDF_PSOP(std::move(proc)));
       m_Operators.push_back(std::move(op));
-      if (!m_Operators.back()->GetProc()->Parse(parser)) {
+      if (!m_Operators.back()->GetProc()->Parse(parser, depth + 1)) {
         return FALSE;
       }
     } else {