From 816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417 Mon Sep 17 00:00:00 2001
From: ochang <ochang@chromium.org>
Date: Fri, 27 May 2016 10:16:12 -0700
Subject: Make sure CFDE_XMLSyntaxParser's buffer is null terminated.

BUG=chromium:614962

Review-Url: https://codereview.chromium.org/2017803002
---
 xfa/fde/xml/fde_xml_imp.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp
index d7b22e076f..6a2c9fe57d 100644
--- a/xfa/fde/xml/fde_xml_imp.cpp
+++ b/xfa/fde/xml/fde_xml_imp.cpp
@@ -8,6 +8,7 @@
 
 #include <algorithm>
 
+#include "core/fxcrt/include/fx_safe_types.h"
 #include "xfa/fgas/crt/fgas_codepage.h"
 #include "xfa/fgas/crt/fgas_system.h"
 
@@ -1474,7 +1475,15 @@ void CFDE_XMLSyntaxParser::Init(IFX_Stream* pStream,
   uint8_t bom[4];
   m_iCurrentPos = m_pStream->GetBOM(bom);
   ASSERT(m_pBuffer == NULL);
-  m_pBuffer = FX_Alloc(FX_WCHAR, m_iXMLPlaneSize);
+
+  FX_SAFE_INT32 alloc_size_safe = m_iXMLPlaneSize;
+  alloc_size_safe += 1;  // For NUL.
+  if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0) {
+    m_syntaxParserResult = FDE_XmlSyntaxResult::Error;
+    return;
+  }
+
+  m_pBuffer = FX_Alloc(FX_WCHAR, alloc_size_safe.ValueOrDie());
   m_pStart = m_pEnd = m_pBuffer;
   ASSERT(!m_BlockBuffer.IsInitialized());
   m_BlockBuffer.InitBuffer();
-- 
cgit v1.2.3