commit 816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417
author ochang <ochang@chromium.org> Fri May 27 10:16:12 2016 -0700
committer Commit bot <commit-bot@chromium.org> Fri May 27 10:16:12 2016 -0700
tree 03486c741f89bb7da4ce96ab01630429b7bdcd59
parent 800222e01e3fcdd57536fc987e773677829dd708

Make sure CFDE_XMLSyntaxParser's buffer is null terminated.

BUG=chromium:614962

Review-Url: https://codereview.chromium.org/2017803002

xfa/fde/xml/fde_xml_imp.cpp

diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp
index d7b22e0..6a2c9fe 100644
--- a/xfa/fde/xml/fde_xml_imp.cpp
+++ b/xfa/fde/xml/fde_xml_imp.cpp
@@ -8,6 +8,7 @@
 
 #include <algorithm>
 
+#include "core/fxcrt/include/fx_safe_types.h"
 #include "xfa/fgas/crt/fgas_codepage.h"
 #include "xfa/fgas/crt/fgas_system.h"
 
@@ -1474,7 +1475,15 @@
   uint8_t bom[4];
   m_iCurrentPos = m_pStream->GetBOM(bom);
   ASSERT(m_pBuffer == NULL);
-  m_pBuffer = FX_Alloc(FX_WCHAR, m_iXMLPlaneSize);
+
+  FX_SAFE_INT32 alloc_size_safe = m_iXMLPlaneSize;
+  alloc_size_safe += 1;  // For NUL.
+  if (!alloc_size_safe.IsValid() || alloc_size_safe.ValueOrDie() <= 0) {
+    m_syntaxParserResult = FDE_XmlSyntaxResult::Error;
+    return;
+  }
+
+  m_pBuffer = FX_Alloc(FX_WCHAR, alloc_size_safe.ValueOrDie());
   m_pStart = m_pEnd = m_pBuffer;
   ASSERT(!m_BlockBuffer.IsInitialized());
   m_BlockBuffer.InitBuffer();