Speculative fix for bad FX_Free() under fuzzer.

A recent change to CFX_CodecMemory prevented it leaking an old buffer when a realloc() failed. But there is a corner case where realloc() to size 0 also returns null (as would a failed alloc), but frees the buffer, rather than leaving it intact. TBR: thestig@chromium.org Bug: 897585 Change-Id: Ib1e82088a822008780f11c6ea94b0552fbf51146 Reviewed-on: https://pdfium-review.googlesource.com/c/44451 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>
author: Tom Sepez <tsepez@chromium.org> 2018-10-22 17:23:51 +0000
committer: Chromium commit bot <commit-bot@chromium.org> 2018-10-22 17:23:51 +0000
commit: 8298d25cf3ac41d71a8533700d929cadac1c360d (patch)
tree: 219955226276efd61fd9e67d0f56d45a453c5743
parent: af3d6cc8910fbddc7518f9d54f4c4ad0dd25ed40 (diff)
download: pdfium-8298d25cf3ac41d71a8533700d929cadac1c360d.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/core/fxcodec/codec/cfx_codec_memory.cpp b/core/fxcodec/codec/cfx_codec_memory.cpp
index 640db12415..36b78672c6 100644
--- a/core/fxcodec/codec/cfx_codec_memory.cpp
+++ b/core/fxcodec/codec/cfx_codec_memory.cpp
@@ -32,7 +32,7 @@ size_t CFX_CodecMemory::ReadBlock(void* buffer, size_t size) {
 bool CFX_CodecMemory::TryResize(size_t new_buffer_size) {
   uint8_t* pOldBuf = buffer_.release();
   uint8_t* pNewBuf = FX_TryRealloc(uint8_t, pOldBuf, new_buffer_size);
-  if (!pNewBuf) {
+  if (new_buffer_size && !pNewBuf) {
     buffer_.reset(pOldBuf);
     return false;
   }
author	Tom Sepez <tsepez@chromium.org>	2018-10-22 17:23:51 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	2018-10-22 17:23:51 +0000
commit	8298d25cf3ac41d71a8533700d929cadac1c360d (patch)
tree	219955226276efd61fd9e67d0f56d45a453c5743
parent	af3d6cc8910fbddc7518f9d54f4c4ad0dd25ed40 (diff)
download	pdfium-8298d25cf3ac41d71a8533700d929cadac1c360d.tar.xz