diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-29 22:48:16 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-29 22:48:16 +0000 |
| commit | 938b23821ee343274ca4b9d55d5da3ffb3126651 (patch) | |
| tree | 7c7e597ab2b5607248bac05d7458d49d98b411cd /pdf | |
| parent | 449ceab5755b5dab8884a88c179e8732e5a2a892 (diff) | |
| download | chromium_src-938b23821ee343274ca4b9d55d5da3ffb3126651.zip chromium_src-938b23821ee343274ca4b9d55d5da3ffb3126651.tar.gz chromium_src-938b23821ee343274ca4b9d55d5da3ffb3126651.tar.bz2 | |
Don't return uninitialized memory from PDFiumEngine::Form_Response().
If the response is too long to return in the caller-supplied buffer,
truncate it to fit per the description of the app_response method in
third_party/pdfium/fpdfsdk/include/fpdfformfill.h
BUG=397834
Review URL: https://codereview.chromium.org/424883002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@286323 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'pdf')
| -rw-r--r-- | pdf/pdfium/pdfium_engine.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/pdf/pdfium/pdfium_engine.cc b/pdf/pdfium/pdfium_engine.cc index d87b6db..e8c164b 100644 --- a/pdf/pdfium/pdfium_engine.cc +++ b/pdf/pdfium/pdfium_engine.cc @@ -3071,8 +3071,10 @@ int PDFiumEngine::Form_Response(IPDF_JSPLATFORM* param, std::string rv = engine->client_->Prompt(question_str, default_str); base::string16 rv_16 = base::UTF8ToUTF16(rv); int rv_bytes = rv_16.size() * sizeof(base::char16); - if (response && rv_bytes <= length) - memcpy(response, rv_16.c_str(), rv_bytes); + if (response) { + int bytes_to_copy = rv_bytes < length ? rv_bytes : length; + memcpy(response, rv_16.c_str(), bytes_to_copy); + } return rv_bytes; } |