From 7f3b99a6a78e524613337f42a99b5634c0ad05f8 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Fri, 15 May 2015 08:44:31 -0700
Subject: Fix potential UAF in ConcatInPlace.

If ConcatCopy somehow gets a zero nNewlen, it returns early, without
allocating a new m_Data.  ConcatInPlace then frees the old one, leaving
m_Data dangling.

Also be concerned about the multiplication in the widestring version.
So use wmemcpy and let the library cope with it.

R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1130763007
---
 core/include/fxcrt/fx_string.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'core/include/fxcrt/fx_string.h')

diff --git a/core/include/fxcrt/fx_string.h b/core/include/fxcrt/fx_string.h
index a7b9a23e25..3614cbe0ee 100644
--- a/core/include/fxcrt/fx_string.h
+++ b/core/include/fxcrt/fx_string.h
@@ -389,6 +389,7 @@ protected:
     void					AllocBeforeWrite(FX_STRSIZE nLen);
 
     StringData* m_pData;
+    friend class fxcrt_ByteStringConcatInPlace_Test;
 };
 inline CFX_ByteStringC::CFX_ByteStringC(const CFX_ByteString& src)
 {
@@ -815,6 +816,7 @@ protected:
     void                    AllocCopy(CFX_WideString& dest, FX_STRSIZE nCopyLen, FX_STRSIZE nCopyIndex) const;
 
     StringData* m_pData;
+    friend class fxcrt_WideStringConcatInPlace_Test;
 };
 inline CFX_WideStringC::CFX_WideStringC(const CFX_WideString& src)
 {
-- 
cgit v1.2.3