From 239915200225fea4c5a02e9630044ef13fccb66d Mon Sep 17 00:00:00 2001
From: npm <npm@chromium.org>
Date: Mon, 28 Nov 2016 12:49:29 -0800
Subject: Fix crash in CFDE_CSSSyntaxParser when parsing empty url

When parsing "url('')", Subtract() should be called to correctly set
m_iDatLen. But iLength will be 0 because there is no url. So I changed
the ASSERT. Also replaced some non-const refs with pointers to make the
code more readable.

BUG=659509

Review-Url: https://codereview.chromium.org/2535663003
---
 xfa/fde/css/fde_csssyntax.cpp | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

(limited to 'xfa/fde/css/fde_csssyntax.cpp')

diff --git a/xfa/fde/css/fde_csssyntax.cpp b/xfa/fde/css/fde_csssyntax.cpp
index 436a94b67b..27094e1376 100644
--- a/xfa/fde/css/fde_csssyntax.cpp
+++ b/xfa/fde/css/fde_csssyntax.cpp
@@ -6,6 +6,8 @@
 
 #include "xfa/fde/css/fde_csssyntax.h"
 
+#include <algorithm>
+
 #include "xfa/fde/css/fde_cssdatatable.h"
 #include "xfa/fgas/crt/fgas_codepage.h"
 
@@ -280,16 +282,13 @@ FDE_CSSSYNTAXSTATUS CFDE_CSSSyntaxParser::DoSyntaxParse() {
 
           if (wch <= ' ' || wch == ';') {
             int32_t iURIStart, iURILength = m_TextData.GetLength();
-            if (iURILength > 0 &&
-                FDE_ParseCSSURI(m_TextData.GetBuffer(), iURILength, iURIStart,
-                                iURILength)) {
+            if (iURILength > 0 && FDE_ParseCSSURI(m_TextData.GetBuffer(),
+                                                  &iURIStart, &iURILength)) {
               m_TextData.Subtract(iURIStart, iURILength);
               SwitchMode(FDE_CSSSYNTAXMODE_MediaType);
-              if (IsImportEnabled()) {
+              if (IsImportEnabled())
                 return FDE_CSSSYNTAXSTATUS_URI;
-              } else {
-                break;
-              }
+              break;
             }
           }
           AppendChar(wch);
@@ -468,15 +467,10 @@ bool CFDE_CSSTextBuf::ExpandBuf(int32_t iDesiredSize) {
   m_iBufLen = iDesiredSize;
   return true;
 }
+
 void CFDE_CSSTextBuf::Subtract(int32_t iStart, int32_t iLength) {
-  ASSERT(iStart >= 0 && iLength > 0);
-  if (iLength > m_iDatLen - iStart) {
-    iLength = m_iDatLen - iStart;
-  }
-  if (iLength < 0) {
-    iLength = 0;
-  } else {
-    FXSYS_memmove(m_pBuffer, m_pBuffer + iStart, iLength * sizeof(FX_WCHAR));
-  }
+  ASSERT(iStart >= 0 && iLength >= 0);
+  iLength = std::max(std::min(iLength, m_iDatLen - iStart), 0);
+  FXSYS_memmove(m_pBuffer, m_pBuffer + iStart, iLength * sizeof(FX_WCHAR));
   m_iDatLen = iLength;
 }
-- 
cgit v1.2.3