Infinite loop in CXFA_Node::GetMapModuleBuffer()

[GoogleCodeExporter]

The attached file was produced by a naive generative fuzzer.  It results in an 
infinite loop around xfa_object_imp.cpp:4773

4768        while (pNode) {
4769            XFA_LPMAPMODULEDATA pMoudle = pNode->GetMapModuleData(FALSE);
4770            if (pMoudle && pMoudle->m_BufferMap.Lookup(pKey, pBuffer)) {
4771                break;
4772            }
4773            pNode = (bProtoAlso && pNode->GetPacketID() != 
XFA_XDPPACKET_Datasets) ? pNode->GetTemplateNode() : NULL;
4774        }

The problem is that pNode has itself as its own m_pAuxNode and is not a 
DATASETS node, so line 4773 keeps re-assigning pNode to iself.

(gdb) p pNode
$8 = (CXFA_Node *) 0x1a1ba40
(gdb) p *pNode
$9 = {
  <CXFA_Object> = {
    <CFX_Object> = {<No data fields>}, 
    members of CXFA_Object: 
    m_pDocument = 0x1a19940, 
    m_uFlags = 10
  }, 
  members of CXFA_Node: 
  m_pNext = 0x0, 
  m_pChild = 0x0, 
  m_pLastChild = 0x0, 
  m_pParent = 0x1a1b4d0, 
  m_pXMLNode = 0x0, 
  m_eNodeClass = XFA_ELEMENT_ContentArea, 
  m_ePacket = 1024, 
  m_dwNameHash = 3632535792, 
  m_pAuxNode = 0x1a1ba40, 
  m_pMapModuleData = 0x1a1baa0
}
(gdb) p pNode == pNode->m_pAuxNode
$10 = true
(gdb) p pNode == pNode->GetTemplateNode()
$11 = true

Presumably the issue is that the tags in question aren't expected outside of a 
<dataset> block.  Perhaps a better terminating condition would be that the node 
is its own aux.

What steps will reproduce the problem?
Run pdfium_test against the attached file.

Original issue reported on code.google.com by tsepez@chromium.org on 4 Dec 2014 at 7:23

Attachments:

• module_buffer_hang.pdf

[GoogleCodeExporter]

@Tom, the attached file does not repro and I don't see a <dataset> block in the 
file, maybe a wrong file?

Original comment by bo...@foxitsoftware.com on 6 Dec 2014 at 1:34

• Changed state: Started
• Added labels: ****
• Removed labels: ****