diff options
author | Tom Sepez <tsepez@chromium.org> | 2017-05-19 10:43:06 -0700 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-05-19 20:52:37 +0000 |
commit | 92c13a7d495c54d86ac8faf8a56a017da2ad39ff (patch) | |
tree | 8b0896cf870ec9a17a509245d50921759ae6a153 /xfa/fxfa/parser | |
parent | d824a90b6fc908020d8f264447fd348c7ffe72c5 (diff) | |
download | pdfium-92c13a7d495c54d86ac8faf8a56a017da2ad39ff.tar.xz |
ASAN flags zero-length StringC in GetMapModuleString()chromium/3105
Corner case for StringCs: A non-referenceable ptr plus a
zero length.
The situation should be rare, so fix it at the spot of the
foul rather than adding logic to the StringC constructors to
zero the pointer when encountering zero length.
Bug: 724500
Change-Id: I54b263f7db5ddef7bade6bfaa185a542ea20229c
Reviewed-on: https://pdfium-review.googlesource.com/5730
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'xfa/fxfa/parser')
-rw-r--r-- | xfa/fxfa/parser/cxfa_node.cpp | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp index e136814e9f..8830f3412c 100644 --- a/xfa/fxfa/parser/cxfa_node.cpp +++ b/xfa/fxfa/parser/cxfa_node.cpp @@ -4854,10 +4854,11 @@ void CXFA_Node::SetMapModuleString(void* pKey, const CFX_WideStringC& wsValue) { bool CXFA_Node::GetMapModuleString(void* pKey, CFX_WideStringC& wsValue) { void* pValue; int32_t iBytes; - if (!GetMapModuleBuffer(pKey, pValue, iBytes)) { + if (!GetMapModuleBuffer(pKey, pValue, iBytes)) return false; - } - wsValue = CFX_WideStringC((const wchar_t*)pValue, iBytes / sizeof(wchar_t)); + // Defensive measure: no out-of-bounds pointers even if zero length. + int32_t iChars = iBytes / sizeof(wchar_t); + wsValue = CFX_WideStringC(iChars ? (const wchar_t*)pValue : nullptr, iChars); return true; } |