Use the length of calculated string instead of source

In this function a string is converted to UTF8, if there are
non-printing characters in the original string, the generated string
will be shorter. Thus using the original string length for iteration
range will cause an OOB read.

BUG=chromium:854623

Change-Id: I338005476c3de529709f3eae6892d27a6c7f2263
Reviewed-on: https://pdfium-review.googlesource.com/35810
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

1 files changed, 1 insertions, 6 deletions

diff --git a/fxjs/cfxjse_formcalc_context.cpp b/fxjs/cfxjse_formcalc_context.cpp
index 3ed8a78da3..15401a010e 100644
--- a/fxjs/cfxjse_formcalc_context.cpp
+++ b/fxjs/cfxjse_formcalc_context.cpp
@@ -3891,17 +3891,12 @@ void CFXJSE_FormCalcContext::Lower(CFXJSE_Value* pThis,
   CFX_WideTextBuf lowStringBuf;
   ByteString argString = ValueToUTF8String(argOne.get());
   WideString wsArgString = WideString::FromUTF8(argString.AsStringView());
-  const wchar_t* pData = wsArgString.c_str();
-  size_t i = 0;
-  while (i < argString.GetLength()) {
-    int32_t ch = pData[i];
+  for (auto ch : wsArgString) {
     if ((ch >= 0x41 && ch <= 0x5A) || (ch >= 0xC0 && ch <= 0xDE))
       ch += 32;
     else if (ch == 0x100 || ch == 0x102 || ch == 0x104)
       ch += 1;
-
     lowStringBuf.AppendChar(ch);
-    ++i;
   }
   lowStringBuf.AppendChar(0);