summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2023-03-07 22:42:23 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2023-03-24 10:08:24 +0000
commit4308208812a2b3e9af9c6c15d32e0f76f3edf629 (patch)
treeb1eb5886ac95e9b6c9f19a29bad65daa6e3aca30
parentfbe4414812b6c75fb4a3b05511248a4fb2abdc6b (diff)
downloadqtwebengine-chromium-4308208812a2b3e9af9c6c15d32e0f76f3edf629.tar.gz
[Backport] CVE-2023-1530: Use after free in PDF (2/2)
Cherry-pick of patch originally reviewed on https://pdfium-review.googlesource.com/c/pdfium/+/104511: More tightly validate XML names in CXFA_FFDocView::GetWidgetByName() Widget names must conform to XML name rules. -- Beef up tests while at it. Fixed: chromium:1419831 Change-Id: Id36b4a7b3d84aa0b74d54c91eed2f1a11da8298f Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/104511 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468613 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp19
1 files changed, 19 insertions, 0 deletions
diff --git a/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp b/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp
index ae6eacade69..cf056f018b8 100644
--- a/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp
+++ b/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp
@@ -11,6 +11,7 @@
#include "core/fxcrt/fx_extension.h"
#include "core/fxcrt/stl_util.h"
+#include "core/fxcrt/xml/cfx_xmlparser.h"
#include "fxjs/gc/container_trace.h"
#include "fxjs/xfa/cfxjse_engine.h"
#include "fxjs/xfa/cjx_object.h"
@@ -43,6 +44,21 @@
#include "xfa/fxfa/parser/cxfa_validate.h"
#include "xfa/fxfa/parser/xfa_utils.h"
+namespace {
+
+bool IsValidXMLNameString(const WideString& str) {
+ bool first = true;
+ for (const auto ch : str) {
+ if (!CFX_XMLParser::IsXMLNameChar(ch, first)) {
+ return false;
+ }
+ first = false;
+ }
+ return true;
+}
+
+} // namespace
+
const XFA_AttributeValue kXFAEventActivity[] = {
XFA_AttributeValue::Click, XFA_AttributeValue::Change,
XFA_AttributeValue::DocClose, XFA_AttributeValue::DocReady,
@@ -445,6 +461,9 @@ XFA_EventError CXFA_FFDocView::ExecEventActivityByDeepFirst(
CXFA_FFWidget* CXFA_FFDocView::GetWidgetByName(const WideString& wsName,
CXFA_FFWidget* pRefWidget) {
+ if (!IsValidXMLNameString(wsName)) {
+ return nullptr;
+ }
CFXJSE_Engine* pScriptContext = m_pDoc->GetXFADoc()->GetScriptContext();
CXFA_Node* pRefNode = nullptr;
if (pRefWidget) {
View Lorry Controller Status