From ddb9b7cdd19b63a81c4a094239e85f84acefaa17 Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Fri, 11 Aug 2017 16:20:32 -0400
Subject: Add checks of index operations on string classes

Specifically the index parameter passed in to GetAt(), SetAt() and
operator[] are now being tested to be in bounds.

BUG=chromium:752480, pdfium:828

Change-Id: I9e94d58c98a8eaaaae53cd0e3ffe2123ea17d8c4
Reviewed-on: https://pdfium-review.googlesource.com/10651
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/font/cpdf_cmapparser.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'core/fpdfapi/font/cpdf_cmapparser.cpp')

diff --git a/core/fpdfapi/font/cpdf_cmapparser.cpp b/core/fpdfapi/font/cpdf_cmapparser.cpp
index 0f9bca6018..cbf693966e 100644
--- a/core/fpdfapi/font/cpdf_cmapparser.cpp
+++ b/core/fpdfapi/font/cpdf_cmapparser.cpp
@@ -35,7 +35,7 @@ CIDSet CIDSetFromSizeT(size_t index) {
 CFX_ByteStringC CMap_GetString(const CFX_ByteStringC& word) {
   if (word.GetLength() <= 2)
     return CFX_ByteStringC();
-  return CFX_ByteStringC(&word[1], word.GetLength() - 2);
+  return word.Right(word.GetLength() - 2);
 }
 
 }  // namespace
@@ -137,6 +137,8 @@ void CPDF_CMapParser::ParseWord(const CFX_ByteStringC& word) {
 
 // Static.
 uint32_t CPDF_CMapParser::CMap_GetCode(const CFX_ByteStringC& word) {
+  if (word.IsEmpty())
+    return 0;
   pdfium::base::CheckedNumeric<uint32_t> num = 0;
   if (word.GetAt(0) == '<') {
     for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i) {
-- 
cgit v1.2.3