diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-05-15 08:44:31 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-05-15 08:44:31 -0700 |
commit | 7f3b99a6a78e524613337f42a99b5634c0ad05f8 (patch) | |
tree | f13654bc0408c72a056b502d3106fd8e28c616e9 /core/src/fxcrt/fx_basic_bstring.cpp | |
parent | b60617f5557a037e64876f7495af80573a35cb4f (diff) | |
download | pdfium-7f3b99a6a78e524613337f42a99b5634c0ad05f8.tar.xz |
Fix potential UAF in ConcatInPlace.
If ConcatCopy somehow gets a zero nNewlen, it returns early, without
allocating a new m_Data. ConcatInPlace then frees the old one, leaving
m_Data dangling.
Also be concerned about the multiplication in the widestring version.
So use wmemcpy and let the library cope with it.
R=thestig@chromium.org
Review URL: https://codereview.chromium.org/1130763007
Diffstat (limited to 'core/src/fxcrt/fx_basic_bstring.cpp')
-rw-r--r-- | core/src/fxcrt/fx_basic_bstring.cpp | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/core/src/fxcrt/fx_basic_bstring.cpp b/core/src/fxcrt/fx_basic_bstring.cpp index 87e50e76cc..781b821f00 100644 --- a/core/src/fxcrt/fx_basic_bstring.cpp +++ b/core/src/fxcrt/fx_basic_bstring.cpp @@ -422,9 +422,7 @@ void CFX_ByteString::ConcatInPlace(FX_STRSIZE nSrcLen, FX_LPCSTR lpszSrcData) return; } if (m_pData->m_nRefs > 1 || m_pData->m_nDataLength + nSrcLen > m_pData->m_nAllocLength) { - StringData* pOldData = m_pData; ConcatCopy(m_pData->m_nDataLength, m_pData->m_String, nSrcLen, lpszSrcData); - pOldData->Release(); } else { FXSYS_memcpy32(m_pData->m_String + m_pData->m_nDataLength, lpszSrcData, nSrcLen); m_pData->m_nDataLength += nSrcLen; @@ -435,14 +433,17 @@ void CFX_ByteString::ConcatCopy(FX_STRSIZE nSrc1Len, FX_LPCSTR lpszSrc1Data, FX_STRSIZE nSrc2Len, FX_LPCSTR lpszSrc2Data) { int nNewLen = nSrc1Len + nSrc2Len; - if (nNewLen == 0) { + if (nNewLen <= 0) { return; } + // Don't release until done copying, might be one of the arguments. + StringData* pOldData = m_pData; m_pData = StringData::Create(nNewLen); if (m_pData) { - FXSYS_memcpy32(m_pData->m_String, lpszSrc1Data, nSrc1Len); - FXSYS_memcpy32(m_pData->m_String + nSrc1Len, lpszSrc2Data, nSrc2Len); + memcpy(m_pData->m_String, lpszSrc1Data, nSrc1Len); + memcpy(m_pData->m_String + nSrc1Len, lpszSrc2Data, nSrc2Len); } + pOldData->Release(); } CFX_ByteString CFX_ByteString::Mid(FX_STRSIZE nFirst) const { |