summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2017-03-29 12:43:50 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-03-29 20:17:31 +0000
commitca825d3abded0dd633857ab56288ceff54858cd8 (patch)
tree3322fc5020ca02c50c10a6f585bf248022381097
parent0cf642f763b1ab8cdb3c52db80cf38e380c82a19 (diff)
downloadpdfium-ca825d3abded0dd633857ab56288ceff54858cd8.tar.xz
Fix MSAN uninitialized value report.
Having move to partition alloc, string buffers are no longer automatically pre-zero'd (nor should they because CFX strings are implemented without this cycle-wasting assumption in mind). BUG=705912 Change-Id: Ia0de263076c2a792ab546bd10c37a06b4251e7e2 Reviewed-on: https://pdfium-review.googlesource.com/3292 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
-rw-r--r--core/fxcrt/fx_basic_wstring.cpp7
1 files changed, 7 insertions, 0 deletions
diff --git a/core/fxcrt/fx_basic_wstring.cpp b/core/fxcrt/fx_basic_wstring.cpp
index 5cb6a57181..5c0b6ce061 100644
--- a/core/fxcrt/fx_basic_wstring.cpp
+++ b/core/fxcrt/fx_basic_wstring.cpp
@@ -607,6 +607,13 @@ void CFX_WideString::FormatV(const wchar_t* pFormat, va_list argList) {
}
GetBuffer(nMaxLen);
if (m_pData) {
+ // In the following two calls, there's always space in the buffer for
+ // a terminating NUL that's not included in nMaxLen.
+ // For vswprintf(), MSAN won't untaint the buffer on a truncated write's
+ // -1 return code even though the buffer is written. Probably just as well
+ // not to trust the vendor's implementation to write anything anyways.
+ // See https://crbug.com/705912.
+ memset(m_pData->m_String, 0, nMaxLen + 1);
FXSYS_vswprintf((wchar_t*)m_pData->m_String, nMaxLen + 1,
(const wchar_t*)pFormat, argListSave);
ReleaseBuffer();