From e26a07588130eeaff120490a266a0a681705f006 Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Sat, 11 Apr 2015 09:33:23 -0700 Subject: Merge to XFA: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003 --- core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp') diff --git a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp index f99f7cec38..0ea7ea1672 100644 --- a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp +++ b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp @@ -613,7 +613,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi FX_DWORD* pCharCodes; FX_FLOAT* pCharPos; if (nChars == 1) { - charcode = pFont->GetNextChar(str, offset); + charcode = pFont->GetNextChar(str, str.GetLength(), offset); pCharCodes = (FX_DWORD*)(FX_UINTPTR)charcode; pCharPos = NULL; } else { @@ -621,7 +621,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi pCharPos = FX_Alloc(FX_FLOAT, nChars - 1); FX_FLOAT cur_pos = 0; for (int i = 0; i < nChars; i ++) { - pCharCodes[i] = pFont->GetNextChar(str, offset); + pCharCodes[i] = pFont->GetNextChar(str, str.GetLength(), offset); if (i) { pCharPos[i - 1] = cur_pos; } -- cgit v1.2.3