Check size before writting

Before writting to the stream buffer make sure that we won't walk off the end
of the allocated size.

In this specific case the dest_size of the buffer is 0, so we're basically just
looping over to free the temp results.

BUG=chromium:697847

Change-Id: I229eea96179692216cb2685facbb7d5379c501c7
Reviewed-on: https://pdfium-review.googlesource.com/2903
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

core/fxcodec/codec/fx_codec_flate.cpp

diff --git a/core/fxcodec/codec/fx_codec_flate.cpp b/core/fxcodec/codec/fx_codec_flate.cpp
index 3cffc0b..b17e202 100644
--- a/core/fxcodec/codec/fx_codec_flate.cpp
+++ b/core/fxcodec/codec/fx_codec_flate.cpp
@@ -587,6 +587,10 @@
       cur_buf = FX_Alloc(uint8_t, buf_size + 1);
       cur_buf[buf_size] = '\0';
     }
+
+    // The TotalOut size returned from the library may not be big enough to
+    // handle the content the library returns. We can only handle items
+    // up to 4GB in size.
     dest_size = FPDFAPI_FlateGetTotalOut(context);
     offset = FPDFAPI_FlateGetTotalIn(context);
     if (result_tmp_bufs.size() == 1) {
@@ -594,14 +598,17 @@
     } else {
       uint8_t* result_buf = FX_Alloc(uint8_t, dest_size);
       uint32_t result_pos = 0;
+      uint32_t remaining = dest_size;
       for (size_t i = 0; i < result_tmp_bufs.size(); i++) {
         uint8_t* tmp_buf = result_tmp_bufs[i];
         uint32_t tmp_buf_size = buf_size;
         if (i == result_tmp_bufs.size() - 1) {
           tmp_buf_size = last_buf_size;
         }
-        FXSYS_memcpy(result_buf + result_pos, tmp_buf, tmp_buf_size);
-        result_pos += tmp_buf_size;
+        uint32_t cp_size = std::min(tmp_buf_size, remaining);
+        FXSYS_memcpy(result_buf + result_pos, tmp_buf, cp_size);
+        result_pos += cp_size;
+        remaining -= cp_size;
         FX_Free(result_tmp_bufs[i]);
       }
       dest_buf = result_buf;