From d52a0afaa3e4374dee469e41db4389bf9c61c4a9 Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Thu, 21 Jun 2018 18:29:44 +0000
Subject: Use the length of calculated string instead of source

In this function a string is converted to UTF8, if there are
non-printing characters in the original string, the generated string
will be shorter. Thus using the original string length for iteration
range will cause an OOB read.

BUG=chromium:854623

Change-Id: I338005476c3de529709f3eae6892d27a6c7f2263
Reviewed-on: https://pdfium-review.googlesource.com/35810
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 fxjs/cfxjse_formcalc_context_embeddertest.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'fxjs/cfxjse_formcalc_context_embeddertest.cpp')

diff --git a/fxjs/cfxjse_formcalc_context_embeddertest.cpp b/fxjs/cfxjse_formcalc_context_embeddertest.cpp
index 58cb34b6d9..22e6b25afc 100644
--- a/fxjs/cfxjse_formcalc_context_embeddertest.cpp
+++ b/fxjs/cfxjse_formcalc_context_embeddertest.cpp
@@ -1176,6 +1176,16 @@ TEST_F(CFXJSE_FormCalcContextEmbedderTest, Lower) {
   }
 }
 
+// This is testing for an OOB read, so will likely only fail under ASAN.
+TEST_F(CFXJSE_FormCalcContextEmbedderTest, bug_854623) {
+  ASSERT_TRUE(OpenDocument("simple_xfa.pdf"));
+
+  const uint8_t test_string[] = {
+      0x4c, 0x6f, 0x77, 0x65, 0x72, 0x28, 0x22, 0xc3,
+      0x85, 0xc3, 0x85, 0xc3, 0x85, 0x22, 0x29};  // Lower("ÅÅÅ")
+  Execute(ByteString(test_string, sizeof(test_string)).AsStringView());
+}
+
 TEST_F(CFXJSE_FormCalcContextEmbedderTest, Ltrim) {
   ASSERT_TRUE(OpenDocument("simple_xfa.pdf"));
 
-- 
cgit v1.2.3