Fix potential UAF in ConcatInPlace.

If ConcatCopy somehow gets a zero nNewlen, it returns early, without allocating a new m_Data. ConcatInPlace then frees the old one, leaving m_Data dangling. Also be concerned about the multiplication in the widestring version. So use wmemcpy and let the library cope with it. R=thestig@chromium.org Review URL: https://codereview.chromium.org/1130763007
author: Tom Sepez <tsepez@chromium.org> 2015-05-15 08:44:31 -0700
committer: Tom Sepez <tsepez@chromium.org> 2015-05-15 08:44:31 -0700
commit: 7f3b99a6a78e524613337f42a99b5634c0ad05f8 (patch)
tree: f13654bc0408c72a056b502d3106fd8e28c616e9 /core/include
parent: b60617f5557a037e64876f7495af80573a35cb4f (diff)
download: pdfium-7f3b99a6a78e524613337f42a99b5634c0ad05f8.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/core/include/fxcrt/fx_string.h b/core/include/fxcrt/fx_string.h
index a7b9a23e25..3614cbe0ee 100644
--- a/core/include/fxcrt/fx_string.h
+++ b/core/include/fxcrt/fx_string.h
@@ -389,6 +389,7 @@ protected:
     void					AllocBeforeWrite(FX_STRSIZE nLen);
 
     StringData* m_pData;
+    friend class fxcrt_ByteStringConcatInPlace_Test;
 };
 inline CFX_ByteStringC::CFX_ByteStringC(const CFX_ByteString& src)
 {
@@ -815,6 +816,7 @@ protected:
     void                    AllocCopy(CFX_WideString& dest, FX_STRSIZE nCopyLen, FX_STRSIZE nCopyIndex) const;
 
     StringData* m_pData;
+    friend class fxcrt_WideStringConcatInPlace_Test;
 };
 inline CFX_WideStringC::CFX_WideStringC(const CFX_WideString& src)
 {
author	Tom Sepez <tsepez@chromium.org>	2015-05-15 08:44:31 -0700
committer	Tom Sepez <tsepez@chromium.org>	2015-05-15 08:44:31 -0700
commit	7f3b99a6a78e524613337f42a99b5634c0ad05f8 (patch)
tree	f13654bc0408c72a056b502d3106fd8e28c616e9 /core/include
parent	b60617f5557a037e64876f7495af80573a35cb4f (diff)
download	pdfium-7f3b99a6a78e524613337f42a99b5634c0ad05f8.tar.xz