From 065af557f21d4e42438d48b6b0e18ffcf33fa8a5 Mon Sep 17 00:00:00 2001
From: Oliver Chang <ochang@chromium.org>
Date: Fri, 27 May 2016 16:34:19 -0700
Subject: Merge to M52: Make sure CFDE_XMLSyntaxParser's buffer is null
 terminated.

BUG=chromium:614962
TBR=tsepez@chromium.org

Original Review-Url: https://codereview.chromium.org/2017803002
(cherry picked from commit 816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417)

Review URL: https://codereview.chromium.org/2017973003 .
---
 xfa/fde/xml/fde_xml_imp.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp
index 446db86950..9e99deb972 100644
--- a/xfa/fde/xml/fde_xml_imp.cpp
+++ b/xfa/fde/xml/fde_xml_imp.cpp
@@ -8,6 +8,7 @@
 
 #include <algorithm>
 
+#include "core/fxcrt/include/fx_safe_types.h"
 #include "xfa/fgas/crt/fgas_codepage.h"
 #include "xfa/fgas/crt/fgas_system.h"
 
@@ -1475,7 +1476,15 @@ void CFDE_XMLSyntaxParser::Init(IFX_Stream* pStream,
   uint8_t bom[4];
   m_iCurrentPos = m_pStream->GetBOM(bom);
   ASSERT(m_pBuffer == NULL);
-  m_pBuffer = FX_Alloc(FX_WCHAR, m_iXMLPlaneSize);
+
+  FX_SAFE_INT32 alloc_size_safe = m_iXMLPlaneSize;
+  alloc_size_safe += 1;  // For NUL.
+  if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0) {
+    m_syntaxParserResult = FDE_XmlSyntaxResult::Error;
+    return;
+  }
+
+  m_pBuffer = FX_Alloc(FX_WCHAR, alloc_size_safe.ValueOrDie());
   m_pStart = m_pEnd = m_pBuffer;
   ASSERT(!m_BlockBuffer.IsInitialized());
   m_BlockBuffer.InitBuffer();
-- 
cgit v1.2.3