From 8298d25cf3ac41d71a8533700d929cadac1c360d Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Mon, 22 Oct 2018 17:23:51 +0000
Subject: Speculative fix for bad FX_Free() under fuzzer.

A recent change to CFX_CodecMemory prevented it leaking an old
buffer when a realloc() failed. But there is a corner case where
realloc() to size 0 also returns null (as would a failed alloc),
but frees the buffer, rather than leaving it intact.

TBR: thestig@chromium.org
Bug: 897585
Change-Id: Ib1e82088a822008780f11c6ea94b0552fbf51146
Reviewed-on: https://pdfium-review.googlesource.com/c/44451
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 core/fxcodec/codec/cfx_codec_memory.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/fxcodec/codec/cfx_codec_memory.cpp b/core/fxcodec/codec/cfx_codec_memory.cpp
index 640db12415..36b78672c6 100644
--- a/core/fxcodec/codec/cfx_codec_memory.cpp
+++ b/core/fxcodec/codec/cfx_codec_memory.cpp
@@ -32,7 +32,7 @@ size_t CFX_CodecMemory::ReadBlock(void* buffer, size_t size) {
 bool CFX_CodecMemory::TryResize(size_t new_buffer_size) {
   uint8_t* pOldBuf = buffer_.release();
   uint8_t* pNewBuf = FX_TryRealloc(uint8_t, pOldBuf, new_buffer_size);
-  if (!pNewBuf) {
+  if (new_buffer_size && !pNewBuf) {
     buffer_.reset(pOldBuf);
     return false;
   }
-- 
cgit v1.2.3