From f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Sat, 11 Apr 2015 09:33:23 -0700 Subject: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003 --- core/src/fpdftext/fpdf_text.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/src/fpdftext') diff --git a/core/src/fpdftext/fpdf_text.cpp b/core/src/fpdftext/fpdf_text.cpp index a4a124d5e6..d6d6de9a83 100644 --- a/core/src/fpdftext/fpdf_text.cpp +++ b/core/src/fpdftext/fpdf_text.cpp @@ -181,7 +181,7 @@ CTextBaseLine* CTextPage::InsertTextBox(CTextBaseLine* pBaseLine, FX_FLOAT basey FX_LPCSTR pStr = str; int len = str.GetLength(), offset = 0; while (offset < len) { - FX_DWORD ch = pFont->GetNextChar(pStr, offset); + FX_DWORD ch = pFont->GetNextChar(pStr, len, offset); CFX_WideString unicode_str = pFont->UnicodeFromCharCode(ch); if (unicode_str.IsEmpty()) { text += (FX_WCHAR)ch; -- cgit v1.2.3