Speculative fix for bad FX_Free() under fuzzer. A recent change to CFX_CodecMemory prevented it leaking an old buffer when a realloc() failed. But there is a corner case where realloc() to size 0 also returns null (as would a failed alloc), but frees the buffer, rather than leaving it intact. TBR: thestig@chromium.org Bug: 897585 Change-Id: Ib1e82088a822008780f11c6ea94b0552fbf51146 Reviewed-on: https://pdfium-review.googlesource.com/c/44451 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>

commit: 8298d25cf3ac41d71a8533700d929cadac1c360d [log] [tgz]
author: Tom Sepez <tsepez@chromium.org> Mon Oct 22 17:23:51 2018 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Mon Oct 22 17:23:51 2018 +0000
tree: 219955226276efd61fd9e67d0f56d45a453c5743
parent: af3d6cc8910fbddc7518f9d54f4c4ad0dd25ed40 [diff]
diff --git a/core/fxcodec/codec/cfx_codec_memory.cpp b/core/fxcodec/codec/cfx_codec_memory.cpp
index 640db12..36b7867 100644
--- a/core/fxcodec/codec/cfx_codec_memory.cpp
+++ b/core/fxcodec/codec/cfx_codec_memory.cpp

@@ -32,7 +32,7 @@
 bool CFX_CodecMemory::TryResize(size_t new_buffer_size) {
   uint8_t* pOldBuf = buffer_.release();
   uint8_t* pNewBuf = FX_TryRealloc(uint8_t, pOldBuf, new_buffer_size);
-  if (!pNewBuf) {
+  if (new_buffer_size && !pNewBuf) {
     buffer_.reset(pOldBuf);
     return false;
   }
commit	8298d25cf3ac41d71a8533700d929cadac1c360d	[log] [tgz]
author	Tom Sepez <tsepez@chromium.org>	Mon Oct 22 17:23:51 2018 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Mon Oct 22 17:23:51 2018 +0000
tree	219955226276efd61fd9e67d0f56d45a453c5743
parent	af3d6cc8910fbddc7518f9d54f4c4ad0dd25ed40 [diff]