Merge to XFA: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar

Add a check to make sure offset is less than the size of string in the function of GetNextChar().

BUG=471651
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1067073003

1 files changed, 2 insertions, 2 deletions

diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
index dd646ca113..41bb95a89d 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
@@ -213,7 +213,7 @@ CFX_WideString CPDF_Font::DecodeString(const CFX_ByteString& str) const
     FX_LPCSTR src_buf = str;
     int src_pos = 0;
     while (src_pos < src_len) {
-        FX_DWORD charcode = GetNextChar(src_buf, src_pos);
+        FX_DWORD charcode = GetNextChar(src_buf, src_len, src_pos);
         CFX_WideString unicode = UnicodeFromCharCode(charcode);
         if (!unicode.IsEmpty()) {
             result += unicode;
@@ -379,7 +379,7 @@ int CPDF_Font::GetStringWidth(FX_LPCSTR pString, int size)
     int offset = 0;
     int width = 0;
     while (offset < size) {
-        FX_DWORD charcode = GetNextChar(pString, offset);
+        FX_DWORD charcode = GetNextChar(pString, size, offset);
         width += GetCharWidthF(charcode);
     }
     return width;