From f0f2a2a528e154b8ceeded297abc3a64007850f8 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Tue, 13 Jun 2017 22:57:46 -0700
Subject: Fix a buffer overflow in FPDFPage_Flatten().

BUG=chromium:732661

Change-Id: Ie11a7d97db97ac969fb6230956efbf21c2ed3d87
Reviewed-on: https://pdfium-review.googlesource.com/6555
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 fpdfsdk/fpdf_flatten.cpp | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/fpdfsdk/fpdf_flatten.cpp b/fpdfsdk/fpdf_flatten.cpp
index 0477d6fea5..914008c1a3 100644
--- a/fpdfsdk/fpdf_flatten.cpp
+++ b/fpdfsdk/fpdf_flatten.cpp
@@ -305,15 +305,18 @@ DLLEXPORT int STDCALL FPDFPage_Flatten(FPDF_PAGE page, int nFlag) {
   if (!pPageXObject)
     pPageXObject = pRes->SetNewFor<CPDF_Dictionary>("XObject");
 
-  CFX_ByteString key = "";
+  CFX_ByteString key;
   int nStreams = pdfium::CollectionSize<int>(ObjectArray);
   if (nStreams > 0) {
-    for (int iKey = 0; /*iKey < 100*/; iKey++) {
-      char sExtend[5] = {};
-      FXSYS_itoa(iKey, sExtend, 10);
-      key = CFX_ByteString("FFT") + CFX_ByteString(sExtend);
-      if (!pPageXObject->KeyExist(key))
+    CFX_ByteString sKey;
+    int i = 0;
+    while (i < INT_MAX) {
+      sKey.Format("FFT%d", i);
+      if (!pPageXObject->KeyExist(sKey)) {
+        key = sKey;
         break;
+      }
+      ++i;
     }
   }
 
-- 
cgit v1.2.3