From f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a Mon Sep 17 00:00:00 2001
From: JUN FANG <jun_fang@foxitsoftware.com>
Date: Sat, 11 Apr 2015 09:33:23 -0700
Subject: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar

Add a check to make sure offset is less than the size of string in the function of GetNextChar().

BUG=471651
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1067073003
---
 core/src/fpdftext/fpdf_text.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core/src/fpdftext')

diff --git a/core/src/fpdftext/fpdf_text.cpp b/core/src/fpdftext/fpdf_text.cpp
index a4a124d5e6..d6d6de9a83 100644
--- a/core/src/fpdftext/fpdf_text.cpp
+++ b/core/src/fpdftext/fpdf_text.cpp
@@ -181,7 +181,7 @@ CTextBaseLine* CTextPage::InsertTextBox(CTextBaseLine* pBaseLine, FX_FLOAT basey
     FX_LPCSTR pStr = str;
     int len = str.GetLength(), offset = 0;
     while (offset < len) {
-        FX_DWORD ch = pFont->GetNextChar(pStr, offset);
+        FX_DWORD ch = pFont->GetNextChar(pStr, len, offset);
         CFX_WideString unicode_str = pFont->UnicodeFromCharCode(ch);
         if (unicode_str.IsEmpty()) {
             text += (FX_WCHAR)ch;
-- 
cgit v1.2.3