From e26a07588130eeaff120490a266a0a681705f006 Mon Sep 17 00:00:00 2001
From: JUN FANG <jun_fang@foxitsoftware.com>
Date: Sat, 11 Apr 2015 09:33:23 -0700
Subject: Merge to XFA: Fix a heap buffer overflow issue in
 CPDF_CMap::GetNextChar

Add a check to make sure offset is less than the size of string in the function of GetNextChar().

BUG=471651
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1067073003
---
 core/src/fpdfapi/fpdf_font/fpdf_font.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'core/src/fpdfapi/fpdf_font/fpdf_font.cpp')

diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
index dd646ca113..41bb95a89d 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
@@ -213,7 +213,7 @@ CFX_WideString CPDF_Font::DecodeString(const CFX_ByteString& str) const
     FX_LPCSTR src_buf = str;
     int src_pos = 0;
     while (src_pos < src_len) {
-        FX_DWORD charcode = GetNextChar(src_buf, src_pos);
+        FX_DWORD charcode = GetNextChar(src_buf, src_len, src_pos);
         CFX_WideString unicode = UnicodeFromCharCode(charcode);
         if (!unicode.IsEmpty()) {
             result += unicode;
@@ -379,7 +379,7 @@ int CPDF_Font::GetStringWidth(FX_LPCSTR pString, int size)
     int offset = 0;
     int width = 0;
     while (offset < size) {
-        FX_DWORD charcode = GetNextChar(pString, offset);
+        FX_DWORD charcode = GetNextChar(pString, size, offset);
         width += GetCharWidthF(charcode);
     }
     return width;
-- 
cgit v1.2.3