summaryrefslogtreecommitdiff
path: root/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
commitf265ee5a5f0e96d1a91111f4f27eb2f1edd8835a (patch)
tree61752f617913671b60e9c0cfb2f6c21fb652fc26 /core/src/fpdfapi/fpdf_page/fpdf_page.cpp
parent9c7b0940569ee5eb1794e8db4e47ecaf3a64315d (diff)
downloadpdfium-f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a.tar.xz
Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar
Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003
Diffstat (limited to 'core/src/fpdfapi/fpdf_page/fpdf_page.cpp')
-rw-r--r--core/src/fpdfapi/fpdf_page/fpdf_page.cpp4
1 files changed, 2 insertions, 2 deletions
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
index 590a01aa6d..ccdfb9fcbb 100644
--- a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
+++ b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
@@ -247,7 +247,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin
FX_LPCSTR segment = pStrs[i];
int offset = 0, len = pStrs[i].GetLength();
while (offset < len) {
- m_pCharCodes[index++] = pFont->GetNextChar(segment, offset);
+ m_pCharCodes[index++] = pFont->GetNextChar(segment, len, offset);
}
if (i != nsegs - 1) {
m_pCharPos[index - 1] = pKerning[i];
@@ -256,7 +256,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin
}
} else {
int offset = 0;
- m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], offset);
+ m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], pStrs[0].GetLength(), offset);
}
}
void CPDF_TextObject::SetText(const CFX_ByteString& str)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 14:27:45 +0000