From 8298d25cf3ac41d71a8533700d929cadac1c360d Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Mon, 22 Oct 2018 17:23:51 +0000 Subject: Speculative fix for bad FX_Free() under fuzzer. A recent change to CFX_CodecMemory prevented it leaking an old buffer when a realloc() failed. But there is a corner case where realloc() to size 0 also returns null (as would a failed alloc), but frees the buffer, rather than leaving it intact. TBR: thestig@chromium.org Bug: 897585 Change-Id: Ib1e82088a822008780f11c6ea94b0552fbf51146 Reviewed-on: https://pdfium-review.googlesource.com/c/44451 Reviewed-by: Tom Sepez Commit-Queue: Tom Sepez --- core/fxcodec/codec/cfx_codec_memory.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core') diff --git a/core/fxcodec/codec/cfx_codec_memory.cpp b/core/fxcodec/codec/cfx_codec_memory.cpp index 640db12415..36b78672c6 100644 --- a/core/fxcodec/codec/cfx_codec_memory.cpp +++ b/core/fxcodec/codec/cfx_codec_memory.cpp @@ -32,7 +32,7 @@ size_t CFX_CodecMemory::ReadBlock(void* buffer, size_t size) { bool CFX_CodecMemory::TryResize(size_t new_buffer_size) { uint8_t* pOldBuf = buffer_.release(); uint8_t* pNewBuf = FX_TryRealloc(uint8_t, pOldBuf, new_buffer_size); - if (!pNewBuf) { + if (new_buffer_size && !pNewBuf) { buffer_.reset(pOldBuf); return false; } -- cgit v1.2.3