Fix bug in code that grows the line reader buffer.

If buff_ is resized by realloc and did not originally point to
buff0_, then memcpy is called erroneously and with a byte count that
is larger than the size of buff0_.  This is a bug.

Fix by removing buff0_ and replacing it with code that allocates
buff_ on object construction or reset, so that buff_ can safely
be realloc'ed in all circumstances.

BUG=444714

Review URL: https://codereview.chromium.org/845513002

Cr-Commit-Position: refs/heads/master@{#310528}

3 files changed, 18 insertions, 22 deletions

diff --git a/third_party/android_crazy_linker/README.chromium b/third_party/android_crazy_linker/README.chromium
index a5b452d..43f8877 100644
--- a/third_party/android_crazy_linker/README.chromium
+++ b/third_party/android_crazy_linker/README.chromium
@@ -66,3 +66,5 @@ Local Modifications:
 
 - Fix unit test crash caused by use of deleted data inside an unload callback.
 
+- Fix for crbug/444714 (Chrome_Android: Crash Report - -1DB24FB5)
+
diff --git a/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.cpp b/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.cpp
index 8c63370..1efa1d7 100644
--- a/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.cpp
+++ b/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.cpp
@@ -13,30 +13,29 @@
 
 namespace crazy {
 
-LineReader::LineReader() : fd_(), buff_(buff0_) {
-  Reset();
-  eof_ = true;
+LineReader::LineReader() : fd_(), buff_(NULL) {
+  Reset(true);
 }
 
-LineReader::LineReader(const char* path) : fd_(), buff_(buff0_) { Open(path); }
+LineReader::LineReader(const char* path) : fd_(), buff_(NULL) {
+  Open(path);
+}
 
-LineReader::~LineReader() { Reset(); }
+LineReader::~LineReader() {
+  ::free(buff_);
+}
 
 void LineReader::Open(const char* path) {
-  Reset();
-  eof_ = !fd_.OpenReadOnly(path);
+  Reset(!fd_.OpenReadOnly(path));
 }
 
-void LineReader::Reset() {
-  if (buff_ != buff0_)
-    ::free(buff_);
-
-  eof_ = false;
+void LineReader::Reset(bool eof) {
+  eof_ = eof;
   line_start_ = 0;
   line_len_ = 0;
   buff_size_ = 0;
-  buff_capacity_ = sizeof buff0_;
-  buff_ = buff0_;
+  buff_capacity_ = 128;
+  buff_ = static_cast<char*>(::realloc(buff_, buff_capacity_));
 }
 
 bool LineReader::GetNextLine() {
@@ -102,13 +101,9 @@ bool LineReader::GetNextLine() {
 
     // Before reading more data, grow the buffer if needed.
     if (buff_size_ == buff_capacity_) {
-      size_t new_capacity = buff_capacity_ * 2;
-      void* old_buff = (buff_ == buff0_) ? NULL : buff_;
-      buff_ = static_cast<char*>(::realloc(old_buff, new_capacity));
-      if (old_buff != buff_)
-        ::memcpy(buff_, buff0_, buff_capacity_);
+      buff_capacity_ *= 2;
+      buff_ = static_cast<char*>(::realloc(buff_, buff_capacity_));
 
-      buff_capacity_ = new_capacity;
       LLOG("%s: GROW buff_size=%d buff_capacity=%d '%.*s'\n",
            __FUNCTION__,
            buff_size_,
diff --git a/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.h b/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.h
index 0a77f29..fda9053 100644
--- a/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.h
+++ b/third_party/android_crazy_linker/src/src/crazy_linker_line_reader.h
@@ -43,7 +43,7 @@ class LineReader {
   size_t length() const;
 
  private:
-  void Reset();
+  void Reset(bool eof);
 
   FileDescriptor fd_;
   bool eof_;
@@ -52,7 +52,6 @@ class LineReader {
   size_t buff_size_;
   size_t buff_capacity_;
   char* buff_;
-  char buff0_[128];
 };
 
 }  // namespace crazy