diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-05-15 08:44:31 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-05-15 08:44:31 -0700 |
commit | 7f3b99a6a78e524613337f42a99b5634c0ad05f8 (patch) | |
tree | f13654bc0408c72a056b502d3106fd8e28c616e9 /core/src/fxcrt/fx_basic_wstring_unittest.cpp | |
parent | b60617f5557a037e64876f7495af80573a35cb4f (diff) | |
download | pdfium-7f3b99a6a78e524613337f42a99b5634c0ad05f8.tar.xz |
Fix potential UAF in ConcatInPlace.
If ConcatCopy somehow gets a zero nNewlen, it returns early, without
allocating a new m_Data. ConcatInPlace then frees the old one, leaving
m_Data dangling.
Also be concerned about the multiplication in the widestring version.
So use wmemcpy and let the library cope with it.
R=thestig@chromium.org
Review URL: https://codereview.chromium.org/1130763007
Diffstat (limited to 'core/src/fxcrt/fx_basic_wstring_unittest.cpp')
-rw-r--r-- | core/src/fxcrt/fx_basic_wstring_unittest.cpp | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/core/src/fxcrt/fx_basic_wstring_unittest.cpp b/core/src/fxcrt/fx_basic_wstring_unittest.cpp index 21b5ae54f6..847e5e8076 100644 --- a/core/src/fxcrt/fx_basic_wstring_unittest.cpp +++ b/core/src/fxcrt/fx_basic_wstring_unittest.cpp @@ -249,6 +249,33 @@ TEST(fxcrt, WideStringOperatorNE) { EXPECT_TRUE(c_string3 != wide_string); } +TEST(fxcrt, WideStringConcatInPlace) { + CFX_WideString fred; + fred.ConcatInPlace(4, L"FRED"); + EXPECT_EQ(L"FRED", fred); + + fred.ConcatInPlace(2, L"DY"); + EXPECT_EQ(L"FREDDY", fred); + + fred.Delete(3, 3); + EXPECT_EQ(L"FRE", fred); + + fred.ConcatInPlace(1, L"D"); + EXPECT_EQ(L"FRED", fred); + + CFX_WideString copy = fred; + fred.ConcatInPlace(2, L"DY"); + EXPECT_EQ(L"FREDDY", fred); + EXPECT_EQ(L"FRED", copy); + + // Test invalid arguments. + copy = fred; + fred.ConcatInPlace(-6, L"freddy"); + CFX_WideString not_aliased(L"xxxxxx"); + EXPECT_EQ(L"FREDDY", fred); + EXPECT_EQ(L"xxxxxx", not_aliased); +} + #define ByteStringLiteral(str) CFX_ByteString(FX_BSTRC(str)) TEST(fxcrt, WideStringUTF16LE_Encode) { |