From ca825d3abded0dd633857ab56288ceff54858cd8 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Wed, 29 Mar 2017 12:43:50 -0700
Subject: Fix MSAN uninitialized value report.

Having move to partition alloc, string buffers are no longer
automatically pre-zero'd (nor should they because CFX strings
are implemented without this cycle-wasting assumption in mind).

BUG=705912

Change-Id: Ia0de263076c2a792ab546bd10c37a06b4251e7e2
Reviewed-on: https://pdfium-review.googlesource.com/3292
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fxcrt/fx_basic_wstring.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/fxcrt/fx_basic_wstring.cpp b/core/fxcrt/fx_basic_wstring.cpp
index 5cb6a57181..5c0b6ce061 100644
--- a/core/fxcrt/fx_basic_wstring.cpp
+++ b/core/fxcrt/fx_basic_wstring.cpp
@@ -607,6 +607,13 @@ void CFX_WideString::FormatV(const wchar_t* pFormat, va_list argList) {
   }
   GetBuffer(nMaxLen);
   if (m_pData) {
+    // In the following two calls, there's always space in the buffer for
+    // a terminating NUL that's not included in nMaxLen.
+    // For vswprintf(), MSAN won't untaint the buffer on a truncated write's
+    // -1 return code even though the buffer is written. Probably just as well
+    // not to trust the vendor's implementation to write anything anyways.
+    // See https://crbug.com/705912.
+    memset(m_pData->m_String, 0, nMaxLen + 1);
     FXSYS_vswprintf((wchar_t*)m_pData->m_String, nMaxLen + 1,
                     (const wchar_t*)pFormat, argListSave);
     ReleaseBuffer();
-- 
cgit v1.2.3