Make sure CFDE_XMLSyntaxParser's buffer is null terminated.

BUG=chromium:614962 Review-Url: https://codereview.chromium.org/2017803002
author: ochang <ochang@chromium.org> 2016-05-27 10:16:12 -0700
committer: Commit bot <commit-bot@chromium.org> 2016-05-27 10:16:12 -0700
commit: 816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417 (patch)
tree: 03486c741f89bb7da4ce96ab01630429b7bdcd59
parent: 800222e01e3fcdd57536fc987e773677829dd708 (diff)
download: pdfium-816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417.tar.xz
1 files changed, 10 insertions, 1 deletions
diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp
index d7b22e076f..6a2c9fe57d 100644
--- a/xfa/fde/xml/fde_xml_imp.cpp
+++ b/xfa/fde/xml/fde_xml_imp.cpp
@@ -8,6 +8,7 @@
 
 #include <algorithm>
 
+#include "core/fxcrt/include/fx_safe_types.h"
 #include "xfa/fgas/crt/fgas_codepage.h"
 #include "xfa/fgas/crt/fgas_system.h"
 
@@ -1474,7 +1475,15 @@ void CFDE_XMLSyntaxParser::Init(IFX_Stream* pStream,
   uint8_t bom[4];
   m_iCurrentPos = m_pStream->GetBOM(bom);
   ASSERT(m_pBuffer == NULL);
-  m_pBuffer = FX_Alloc(FX_WCHAR, m_iXMLPlaneSize);
+
+  FX_SAFE_INT32 alloc_size_safe = m_iXMLPlaneSize;
+  alloc_size_safe += 1;  // For NUL.
+  if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0) {
+    m_syntaxParserResult = FDE_XmlSyntaxResult::Error;
+    return;
+  }
+
+  m_pBuffer = FX_Alloc(FX_WCHAR, alloc_size_safe.ValueOrDie());
   m_pStart = m_pEnd = m_pBuffer;
   ASSERT(!m_BlockBuffer.IsInitialized());
   m_BlockBuffer.InitBuffer();
author	ochang <ochang@chromium.org>	2016-05-27 10:16:12 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-05-27 10:16:12 -0700
commit	816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417 (patch)
tree	03486c741f89bb7da4ce96ab01630429b7bdcd59
parent	800222e01e3fcdd57536fc987e773677829dd708 (diff)
download	pdfium-816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417.tar.xz