XFA: bound memcpy length in _png_load_bmp_attribute()

BUG=466338 R=thestig@chromium.org Review URL: https://codereview.chromium.org/997273002
author: Tom Sepez <tsepez@chromium.org> 2015-03-11 14:41:17 -0700
committer: Tom Sepez <tsepez@chromium.org> 2015-03-11 14:41:17 -0700
commit: e0557f60dd1a6130c481e3ab4f3787bf1125941a (patch)
tree: 73c1ab618ba673f2bddccd6845d8cca6de07402b /core/src/fxcodec/codec
parent: 2080b3e1b18126628890c61a62eca28dcd65818e (diff)
download: pdfium-e0557f60dd1a6130c481e3ab4f3787bf1125941a.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/core/src/fxcodec/codec/fx_codec_png.cpp b/core/src/fxcodec/codec/fx_codec_png.cpp
index 8c26381514..ea5ffaf68a 100644
--- a/core/src/fxcodec/codec/fx_codec_png.cpp
+++ b/core/src/fxcodec/codec/fx_codec_png.cpp
@@ -69,8 +69,9 @@ static void _png_load_bmp_attribute(png_structp png_ptr, png_infop info_ptr, CFX
             buf = "Time";
             if (!FXSYS_memcmp32(buf, text[i].key, FX_MIN(len, FXSYS_strlen(buf)))) {
                 if (!bTime) {
-                    FXSYS_memset32(pAttribute->m_strTime, 0, 20);
-                    FXSYS_memcpy32(pAttribute->m_strTime, text[i].text, text[i].text_length);
+                    FXSYS_memset32(pAttribute->m_strTime, 0, sizeof(pAttribute->m_strTime));
+                    FXSYS_memcpy32(pAttribute->m_strTime, text[i].text,
+                                   FX_MIN(sizeof(pAttribute->m_strTime) - 1, text[i].text_length));
                 }
             } else {
                 buf = "Author";
author	Tom Sepez <tsepez@chromium.org>	2015-03-11 14:41:17 -0700
committer	Tom Sepez <tsepez@chromium.org>	2015-03-11 14:41:17 -0700
commit	e0557f60dd1a6130c481e3ab4f3787bf1125941a (patch)
tree	73c1ab618ba673f2bddccd6845d8cca6de07402b /core/src/fxcodec/codec
parent	2080b3e1b18126628890c61a62eca28dcd65818e (diff)
download	pdfium-e0557f60dd1a6130c481e3ab4f3787bf1125941a.tar.xz