From f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Sat, 11 Apr 2015 09:33:23 -0700 Subject: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003 --- core/src/fpdfapi/fpdf_font/font_int.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'core/src/fpdfapi/fpdf_font/font_int.h') diff --git a/core/src/fpdfapi/fpdf_font/font_int.h b/core/src/fpdfapi/fpdf_font/font_int.h index 6048ba981d..43f4e302af 100644 --- a/core/src/fpdfapi/fpdf_font/font_int.h +++ b/core/src/fpdfapi/fpdf_font/font_int.h @@ -95,8 +95,8 @@ public: FX_WORD CIDFromCharCode(FX_DWORD charcode) const; FX_DWORD CharCodeFromCID(FX_WORD CID) const; int GetCharSize(FX_DWORD charcode) const; - FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const; - int CountChar(const FX_CHAR* pString, int size) const; + FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const; + int CountChar(FX_LPCSTR pString, int size) const; int AppendChar(FX_LPSTR str, FX_DWORD charcode) const; typedef enum {OneByte, TwoBytes, MixedTwoBytes, MixedFourBytes} CodingScheme; protected: -- cgit v1.2.3