Array index [0] on zero length array is undefined on C++03

and will assert when _ITERATOR_DEBUG_LEVEL is set to >= 1 on VS2010 Add protection against this code. This is the same underlying issue as 132037 so tagging to that bug BUG=132037 TEST=browser_tests --gtest_filter=OutOfProcessPPAPITest.* Review URL: https://codereview.chromium.org/26005003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@228529 0039d316-1c4b-4281-b951-d872f2087c98
author: wfh@chromium.org <wfh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-10-14 21:24:24 +0000
committer: wfh@chromium.org <wfh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-10-14 21:24:24 +0000
commit: b43734a17cbd7b23bfda66d834f801c759135c1e (patch)
tree: 1eb15f4fe67c44431ce4eaaeb754290102ef655e /content/renderer
parent: a941d4e57a9c663e2c9feb3779fef16f8f3f7457 (diff)
download: chromium_src-b43734a17cbd7b23bfda66d834f801c759135c1e.zip
chromium_src-b43734a17cbd7b23bfda66d834f801c759135c1e.tar.gz
chromium_src-b43734a17cbd7b23bfda66d834f801c759135c1e.tar.bz2
1 files changed, 7 insertions, 3 deletions
diff --git a/content/renderer/pepper/pepper_truetype_font_win.cc b/content/renderer/pepper/pepper_truetype_font_win.cc
index e515bd1..b8c5f96 100644
--- a/content/renderer/pepper/pepper_truetype_font_win.cc
+++ b/content/renderer/pepper/pepper_truetype_font_win.cc
@@ -219,13 +219,17 @@ int32_t PepperTrueTypeFontWin::GetTable(uint32_t table_tag,
   if (table_size == GDI_ERROR)
     return PP_ERROR_FAILED;
 
+  // TODO(bbudge1) add check for when offset > file size
   DWORD safe_offset = std::min(static_cast<DWORD>(offset), table_size);
   DWORD safe_length = std::min(table_size - safe_offset,
                                static_cast<DWORD>(max_data_length));
   data->resize(safe_length);
-  table_size = GetFontData(hdc, table_tag, safe_offset,
-                           reinterpret_cast<uint8_t*>(&(*data)[0]),
-                           safe_length);
+  if (max_data_length == 0)
+    table_size = 0;
+  else
+    table_size = GetFontData(hdc, table_tag, safe_offset,
+                             reinterpret_cast<uint8_t*>(&(*data)[0]),
+                             safe_length);
   if (table_size == GDI_ERROR)
     return PP_ERROR_FAILED;
   return static_cast<int32_t>(table_size);
author	wfh@chromium.org <wfh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-10-14 21:24:24 +0000
committer	wfh@chromium.org <wfh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-10-14 21:24:24 +0000
commit	b43734a17cbd7b23bfda66d834f801c759135c1e (patch)
tree	1eb15f4fe67c44431ce4eaaeb754290102ef655e /content/renderer
parent	a941d4e57a9c663e2c9feb3779fef16f8f3f7457 (diff)
download	chromium_src-b43734a17cbd7b23bfda66d834f801c759135c1e.zip chromium_src-b43734a17cbd7b23bfda66d834f801c759135c1e.tar.gz chromium_src-b43734a17cbd7b23bfda66d834f801c759135c1e.tar.bz2