From f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Sat, 11 Apr 2015 09:33:23 -0700 Subject: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003 --- core/src/fpdfapi/fpdf_page/fpdf_page.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'core/src/fpdfapi/fpdf_page') diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp index 590a01aa6d..ccdfb9fcbb 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp @@ -247,7 +247,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin FX_LPCSTR segment = pStrs[i]; int offset = 0, len = pStrs[i].GetLength(); while (offset < len) { - m_pCharCodes[index++] = pFont->GetNextChar(segment, offset); + m_pCharCodes[index++] = pFont->GetNextChar(segment, len, offset); } if (i != nsegs - 1) { m_pCharPos[index - 1] = pKerning[i]; @@ -256,7 +256,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin } } else { int offset = 0; - m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], offset); + m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], pStrs[0].GetLength(), offset); } } void CPDF_TextObject::SetText(const CFX_ByteString& str) -- cgit v1.2.3