From 92c13a7d495c54d86ac8faf8a56a017da2ad39ff Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Fri, 19 May 2017 10:43:06 -0700 Subject: ASAN flags zero-length StringC in GetMapModuleString() Corner case for StringCs: A non-referenceable ptr plus a zero length. The situation should be rare, so fix it at the spot of the foul rather than adding logic to the StringC constructors to zero the pointer when encountering zero length. Bug: 724500 Change-Id: I54b263f7db5ddef7bade6bfaa185a542ea20229c Reviewed-on: https://pdfium-review.googlesource.com/5730 Reviewed-by: Lei Zhang Commit-Queue: Tom Sepez --- xfa/fxfa/parser/cxfa_node.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp index e136814e9f..8830f3412c 100644 --- a/xfa/fxfa/parser/cxfa_node.cpp +++ b/xfa/fxfa/parser/cxfa_node.cpp @@ -4854,10 +4854,11 @@ void CXFA_Node::SetMapModuleString(void* pKey, const CFX_WideStringC& wsValue) { bool CXFA_Node::GetMapModuleString(void* pKey, CFX_WideStringC& wsValue) { void* pValue; int32_t iBytes; - if (!GetMapModuleBuffer(pKey, pValue, iBytes)) { + if (!GetMapModuleBuffer(pKey, pValue, iBytes)) return false; - } - wsValue = CFX_WideStringC((const wchar_t*)pValue, iBytes / sizeof(wchar_t)); + // Defensive measure: no out-of-bounds pointers even if zero length. + int32_t iChars = iBytes / sizeof(wchar_t); + wsValue = CFX_WideStringC(iChars ? (const wchar_t*)pValue : nullptr, iChars); return true; } -- cgit v1.2.3