diff options
author | Tom Sepez <tsepez@chromium.org> | 2023-03-07 22:42:23 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-14 13:48:18 +0000 |
commit | bfc2432161a27335a0b35318ab75ddd898e5ae73 (patch) | |
tree | de53af3cb7498964058614ec72cafaf7d304f6a9 | |
parent | 10fa4ebe6b2868460c845b524c0379b8dc216cfc (diff) | |
download | qtwebengine-chromium-bfc2432161a27335a0b35318ab75ddd898e5ae73.tar.gz |
[Backport] CVE-2023-1530: Use after free in PDF (2/2)
Manual cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/104511:
More tightly validate XML names in CXFA_FFDocView::GetWidgetByName()
Widget names must conform to XML name rules.
-- Beef up tests while at it.
Fixed: chromium:1419831
Change-Id: Id36b4a7b3d84aa0b74d54c91eed2f1a11da8298f
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/104511
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469852
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp b/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp index 1c4d5f44767..c6870330b86 100644 --- a/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp +++ b/chromium/third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp @@ -10,6 +10,7 @@ #include <utility> #include "core/fxcrt/fx_extension.h" +#include "core/fxcrt/xml/cfx_xmlparser.h" #include "fxjs/gc/container_trace.h" #include "fxjs/xfa/cfxjse_engine.h" #include "fxjs/xfa/cjx_object.h" @@ -42,6 +43,21 @@ #include "xfa/fxfa/parser/xfa_resolvenode_rs.h" #include "xfa/fxfa/parser/xfa_utils.h" +namespace { + +bool IsValidXMLNameString(const WideString& str) { + bool first = true; + for (const auto ch : str) { + if (!CFX_XMLParser::IsXMLNameChar(ch, first)) { + return false; + } + first = false; + } + return true; +} + +} // namespace + const XFA_AttributeValue gs_EventActivity[] = { XFA_AttributeValue::Click, XFA_AttributeValue::Change, XFA_AttributeValue::DocClose, XFA_AttributeValue::DocReady, @@ -429,6 +445,9 @@ XFA_EventError CXFA_FFDocView::ExecEventActivityByDeepFirst( CXFA_FFWidget* CXFA_FFDocView::GetWidgetByName(const WideString& wsName, CXFA_FFWidget* pRefWidget) { + if (!IsValidXMLNameString(wsName)) { + return nullptr; + } CFXJSE_Engine* pScriptContext = m_pDoc->GetXFADoc()->GetScriptContext(); CXFA_Node* pRefNode = nullptr; if (pRefWidget) { |