XFA: bound memcpy length in _png_load_bmp_attribute()
BUG=466338
R=thestig@chromium.org
Review URL: https://codereview.chromium.org/997273002
diff --git a/core/src/fxcodec/codec/fx_codec_png.cpp b/core/src/fxcodec/codec/fx_codec_png.cpp
index 8c26381..ea5ffaf 100644
--- a/core/src/fxcodec/codec/fx_codec_png.cpp
+++ b/core/src/fxcodec/codec/fx_codec_png.cpp
@@ -69,8 +69,9 @@
buf = "Time";
if (!FXSYS_memcmp32(buf, text[i].key, FX_MIN(len, FXSYS_strlen(buf)))) {
if (!bTime) {
- FXSYS_memset32(pAttribute->m_strTime, 0, 20);
- FXSYS_memcpy32(pAttribute->m_strTime, text[i].text, text[i].text_length);
+ FXSYS_memset32(pAttribute->m_strTime, 0, sizeof(pAttribute->m_strTime));
+ FXSYS_memcpy32(pAttribute->m_strTime, text[i].text,
+ FX_MIN(sizeof(pAttribute->m_strTime) - 1, text[i].text_length));
}
} else {
buf = "Author";
