Added bounds checking to GetNameFromTT to handle corrupt files.

Patch by forshaw. This patch adds bounds checking to the names buffer passed to GetNameFromTT. There are observed crashes in this function where data is read outside of the bounds allocated and passed to GetNameFromTT. There's no reason that this function should ever try and read outside of the allocated bounds. BUG=583037 TBR=forshaw@chromium.org patch from issue 1829013002 at patchset 40001 (http://crrev.com/1829013002#ps40001) Review URL: https://codereview.chromium.org/1830243003 .
author: Tom Sepez <tsepez@chromium.org> 2016-03-24 11:09:45 -0700
committer: Tom Sepez <tsepez@chromium.org> 2016-03-24 11:09:45 -0700
commit: 676947ce0204914da1d8fb159730432c0fb0a3a2 (patch)
tree: 5749b1a559ad2b7b5c9c776c8fb93dc009994124 /core/fpdfapi
parent: 282cee1b5ef000c8b03f53f5cbb243893d4440d1 (diff)
download: pdfium-676947ce0204914da1d8fb159730432c0fb0a3a2.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/core/fpdfapi/fpdf_edit/fpdf_edit_doc.cpp b/core/fpdfapi/fpdf_edit/fpdf_edit_doc.cpp
index 7688bb08ce..cf79fdc47d 100644
--- a/core/fpdfapi/fpdf_edit/fpdf_edit_doc.cpp
+++ b/core/fpdfapi/fpdf_edit/fpdf_edit_doc.cpp
@@ -234,7 +234,7 @@ CFX_ByteString _FPDF_GetPSNameFromTT(HDC hDC) {
   if (size != GDI_ERROR) {
     LPBYTE buffer = FX_Alloc(BYTE, size);
     ::GetFontData(hDC, 'eman', 0, buffer, size);
-    result = GetNameFromTT(buffer, 6);
+    result = GetNameFromTT(buffer, size, 6);
     FX_Free(buffer);
   }
   return result;
author	Tom Sepez <tsepez@chromium.org>	2016-03-24 11:09:45 -0700
committer	Tom Sepez <tsepez@chromium.org>	2016-03-24 11:09:45 -0700
commit	676947ce0204914da1d8fb159730432c0fb0a3a2 (patch)
tree	5749b1a559ad2b7b5c9c776c8fb93dc009994124 /core/fpdfapi
parent	282cee1b5ef000c8b03f53f5cbb243893d4440d1 (diff)
download	pdfium-676947ce0204914da1d8fb159730432c0fb0a3a2.tar.xz