From 7f3b99a6a78e524613337f42a99b5634c0ad05f8 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Fri, 15 May 2015 08:44:31 -0700
Subject: Fix potential UAF in ConcatInPlace.

If ConcatCopy somehow gets a zero nNewlen, it returns early, without
allocating a new m_Data.  ConcatInPlace then frees the old one, leaving
m_Data dangling.

Also be concerned about the multiplication in the widestring version.
So use wmemcpy and let the library cope with it.

R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1130763007
---
 core/src/fxcrt/fx_basic_bstring_unittest.cpp | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'core/src/fxcrt/fx_basic_bstring_unittest.cpp')

diff --git a/core/src/fxcrt/fx_basic_bstring_unittest.cpp b/core/src/fxcrt/fx_basic_bstring_unittest.cpp
index 1f80207e96..bcdd33b8b8 100644
--- a/core/src/fxcrt/fx_basic_bstring_unittest.cpp
+++ b/core/src/fxcrt/fx_basic_bstring_unittest.cpp
@@ -288,6 +288,33 @@ TEST(fxcrt, ByteStringCNull) {
   EXPECT_NE(null_string, non_null_string);
 }
 
+TEST(fxcrt, ByteStringConcatInPlace) {
+    CFX_ByteString fred;
+    fred.ConcatInPlace(4, "FRED");
+    EXPECT_EQ("FRED", fred);
+
+    fred.ConcatInPlace(2, "DY");
+    EXPECT_EQ("FREDDY", fred);
+
+    fred.Delete(3, 3);
+    EXPECT_EQ("FRE", fred);
+
+    fred.ConcatInPlace(1, "D");
+    EXPECT_EQ("FRED", fred);
+
+    CFX_ByteString copy = fred;
+    fred.ConcatInPlace(2, "DY");
+    EXPECT_EQ("FREDDY", fred);
+    EXPECT_EQ("FRED", copy);
+
+    // Test invalid arguments.
+    copy = fred;
+    fred.ConcatInPlace(-6, "freddy");
+    CFX_ByteString not_aliased("xxxxxx");
+    EXPECT_EQ("FREDDY", fred);
+    EXPECT_EQ("xxxxxx", not_aliased);
+}
+
 TEST(fxcrt, ByteStringCNotNull) {
   CFX_ByteStringC string3("abc");
   CFX_ByteStringC string6("abcdef");
-- 
cgit v1.2.3