summaryrefslogtreecommitdiff
path: root/xfa
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2017-05-19 10:43:06 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-05-19 20:52:37 +0000
commit92c13a7d495c54d86ac8faf8a56a017da2ad39ff (patch)
tree8b0896cf870ec9a17a509245d50921759ae6a153 /xfa
parentd824a90b6fc908020d8f264447fd348c7ffe72c5 (diff)
downloadpdfium-92c13a7d495c54d86ac8faf8a56a017da2ad39ff.tar.xz
ASAN flags zero-length StringC in GetMapModuleString()chromium/3105
Corner case for StringCs: A non-referenceable ptr plus a zero length. The situation should be rare, so fix it at the spot of the foul rather than adding logic to the StringC constructors to zero the pointer when encountering zero length. Bug: 724500 Change-Id: I54b263f7db5ddef7bade6bfaa185a542ea20229c Reviewed-on: https://pdfium-review.googlesource.com/5730 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'xfa')
-rw-r--r--xfa/fxfa/parser/cxfa_node.cpp7
1 files changed, 4 insertions, 3 deletions
diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp
index e136814e9f..8830f3412c 100644
--- a/xfa/fxfa/parser/cxfa_node.cpp
+++ b/xfa/fxfa/parser/cxfa_node.cpp
@@ -4854,10 +4854,11 @@ void CXFA_Node::SetMapModuleString(void* pKey, const CFX_WideStringC& wsValue) {
bool CXFA_Node::GetMapModuleString(void* pKey, CFX_WideStringC& wsValue) {
void* pValue;
int32_t iBytes;
- if (!GetMapModuleBuffer(pKey, pValue, iBytes)) {
+ if (!GetMapModuleBuffer(pKey, pValue, iBytes))
return false;
- }
- wsValue = CFX_WideStringC((const wchar_t*)pValue, iBytes / sizeof(wchar_t));
+ // Defensive measure: no out-of-bounds pointers even if zero length.
+ int32_t iChars = iBytes / sizeof(wchar_t);
+ wsValue = CFX_WideStringC(iChars ? (const wchar_t*)pValue : nullptr, iChars);
return true;
}