From 861a552af4aa7edb24c600e25a7bf388a1cdb364 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Fri, 15 May 2015 09:09:22 -0700 Subject: Merge to XFA: Fix potential UAF in ConcatInPlace. Original Review URL: https://codereview.chromium.org/1130763007 TBR=thestig@chromium.org Review URL: https://codereview.chromium.org/1123333004 --- core/src/fxcrt/fx_basic_bstring.cpp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'core/src/fxcrt/fx_basic_bstring.cpp') diff --git a/core/src/fxcrt/fx_basic_bstring.cpp b/core/src/fxcrt/fx_basic_bstring.cpp index 87e50e76cc..781b821f00 100644 --- a/core/src/fxcrt/fx_basic_bstring.cpp +++ b/core/src/fxcrt/fx_basic_bstring.cpp @@ -422,9 +422,7 @@ void CFX_ByteString::ConcatInPlace(FX_STRSIZE nSrcLen, FX_LPCSTR lpszSrcData) return; } if (m_pData->m_nRefs > 1 || m_pData->m_nDataLength + nSrcLen > m_pData->m_nAllocLength) { - StringData* pOldData = m_pData; ConcatCopy(m_pData->m_nDataLength, m_pData->m_String, nSrcLen, lpszSrcData); - pOldData->Release(); } else { FXSYS_memcpy32(m_pData->m_String + m_pData->m_nDataLength, lpszSrcData, nSrcLen); m_pData->m_nDataLength += nSrcLen; @@ -435,14 +433,17 @@ void CFX_ByteString::ConcatCopy(FX_STRSIZE nSrc1Len, FX_LPCSTR lpszSrc1Data, FX_STRSIZE nSrc2Len, FX_LPCSTR lpszSrc2Data) { int nNewLen = nSrc1Len + nSrc2Len; - if (nNewLen == 0) { + if (nNewLen <= 0) { return; } + // Don't release until done copying, might be one of the arguments. + StringData* pOldData = m_pData; m_pData = StringData::Create(nNewLen); if (m_pData) { - FXSYS_memcpy32(m_pData->m_String, lpszSrc1Data, nSrc1Len); - FXSYS_memcpy32(m_pData->m_String + nSrc1Len, lpszSrc2Data, nSrc2Len); + memcpy(m_pData->m_String, lpszSrc1Data, nSrc1Len); + memcpy(m_pData->m_String + nSrc1Len, lpszSrc2Data, nSrc2Len); } + pOldData->Release(); } CFX_ByteString CFX_ByteString::Mid(FX_STRSIZE nFirst) const { -- cgit v1.2.3