From 92c13a7d495c54d86ac8faf8a56a017da2ad39ff Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Fri, 19 May 2017 10:43:06 -0700
Subject: ASAN flags zero-length StringC in GetMapModuleString()

Corner case for StringCs:  A non-referenceable ptr plus a
zero length.

The situation should be rare, so fix it at the spot of the
foul rather than adding logic to the StringC constructors to
zero the pointer when encountering zero length.

Bug: 724500
Change-Id: I54b263f7db5ddef7bade6bfaa185a542ea20229c
Reviewed-on: https://pdfium-review.googlesource.com/5730
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 xfa/fxfa/parser/cxfa_node.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp
index e136814e9f..8830f3412c 100644
--- a/xfa/fxfa/parser/cxfa_node.cpp
+++ b/xfa/fxfa/parser/cxfa_node.cpp
@@ -4854,10 +4854,11 @@ void CXFA_Node::SetMapModuleString(void* pKey, const CFX_WideStringC& wsValue) {
 bool CXFA_Node::GetMapModuleString(void* pKey, CFX_WideStringC& wsValue) {
   void* pValue;
   int32_t iBytes;
-  if (!GetMapModuleBuffer(pKey, pValue, iBytes)) {
+  if (!GetMapModuleBuffer(pKey, pValue, iBytes))
     return false;
-  }
-  wsValue = CFX_WideStringC((const wchar_t*)pValue, iBytes / sizeof(wchar_t));
+  // Defensive measure: no out-of-bounds pointers even if zero length.
+  int32_t iChars = iBytes / sizeof(wchar_t);
+  wsValue = CFX_WideStringC(iChars ? (const wchar_t*)pValue : nullptr, iChars);
   return true;
 }
 
-- 
cgit v1.2.3