7f3b99a6a78e524613337f42a99b5634c0ad05f8 - pdfium

commit	7f3b99a6a78e524613337f42a99b5634c0ad05f8	[log] [tgz]
author	Tom Sepez <tsepez@chromium.org>	Fri May 15 08:44:31 2015 -0700
committer	Tom Sepez <tsepez@chromium.org>	Fri May 15 08:44:31 2015 -0700
tree	f13654bc0408c72a056b502d3106fd8e28c616e9
parent	b60617f5557a037e64876f7495af80573a35cb4f [diff]

Fix potential UAF in ConcatInPlace.

If ConcatCopy somehow gets a zero nNewlen, it returns early, without
allocating a new m_Data.  ConcatInPlace then frees the old one, leaving
m_Data dangling.

Also be concerned about the multiplication in the widestring version.
So use wmemcpy and let the library cope with it.

R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1130763007

core/include/fxcrt/fx_string.h[diff]
core/src/fxcrt/fx_basic_bstring.cpp[diff]
core/src/fxcrt/fx_basic_bstring_unittest.cpp[diff]
core/src/fxcrt/fx_basic_wstring.cpp[diff]
core/src/fxcrt/fx_basic_wstring_unittest.cpp[diff]

5 files changed

tree: f13654bc0408c72a056b502d3106fd8e28c616e9

build/
core/
fpdfsdk/
public/
samples/
testing/
third_party/
.gitignore
AUTHORS
BUILD.gn
codereview.settings
DEPS
LICENSE
OWNERS
pdfium.gyp
README