From 41a5cc0c5bfcf998103180d33a2e32d2f495d656 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 13 Apr 2015 14:21:07 -0700
Subject: Fix a stack overflow issue caused by an invalid usage of snprintf

BUG=469244
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1062983002

(cherry picked from commit 5a82342845335770f975ef7f9a1b0bca1cf2d971)

Review URL: https://codereview.chromium.org/1082043002
---
 core/src/fxcrt/fx_basic_wstring.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/fxcrt/fx_basic_wstring.cpp b/core/src/fxcrt/fx_basic_wstring.cpp
index dfdbef8bd6..ce6a1cd763 100644
--- a/core/src/fxcrt/fx_basic_wstring.cpp
+++ b/core/src/fxcrt/fx_basic_wstring.cpp
@@ -976,9 +976,9 @@ void CFX_WideString::FormatV(FX_LPCWSTR lpszFormat, va_list argList)
                         nItemLen = nPrecision + nWidth + 128;
                     } else {
                         double f;
-                        char pszTemp[256];
+                        char pszTemp[256] = {0};
                         f = va_arg(argList, double);
-                        FXSYS_snprintf(pszTemp, sizeof(pszTemp), "%*.*f", nWidth, nPrecision + 6, f );
+                        FXSYS_snprintf(pszTemp, sizeof(pszTemp) - 1, "%*.*f", nWidth, nPrecision + 6, f );
                         nItemLen = (FX_STRSIZE)FXSYS_strlen(pszTemp);
                     }
                     break;
-- 
cgit v1.2.3