summaryrefslogtreecommitdiff
path: root/core/src/fpdfapi/fpdf_render
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
commitf265ee5a5f0e96d1a91111f4f27eb2f1edd8835a (patch)
tree61752f617913671b60e9c0cfb2f6c21fb652fc26 /core/src/fpdfapi/fpdf_render
parent9c7b0940569ee5eb1794e8db4e47ecaf3a64315d (diff)
downloadpdfium-f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a.tar.xz
Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar
Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003
Diffstat (limited to 'core/src/fpdfapi/fpdf_render')
-rw-r--r--core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp4
1 files changed, 2 insertions, 2 deletions
diff --git a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
index f99f7cec38..0ea7ea1672 100644
--- a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
+++ b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
@@ -613,7 +613,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi
FX_DWORD* pCharCodes;
FX_FLOAT* pCharPos;
if (nChars == 1) {
- charcode = pFont->GetNextChar(str, offset);
+ charcode = pFont->GetNextChar(str, str.GetLength(), offset);
pCharCodes = (FX_DWORD*)(FX_UINTPTR)charcode;
pCharPos = NULL;
} else {
@@ -621,7 +621,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi
pCharPos = FX_Alloc(FX_FLOAT, nChars - 1);
FX_FLOAT cur_pos = 0;
for (int i = 0; i < nChars; i ++) {
- pCharCodes[i] = pFont->GetNextChar(str, offset);
+ pCharCodes[i] = pFont->GetNextChar(str, str.GetLength(), offset);
if (i) {
pCharPos[i - 1] = cur_pos;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-13 01:17:26 +0000