From 938b23821ee343274ca4b9d55d5da3ffb3126651 Mon Sep 17 00:00:00 2001
From: "tsepez@chromium.org"
 <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue, 29 Jul 2014 22:48:16 +0000
Subject: Don't return uninitialized memory from PDFiumEngine::Form_Response().

If the response is too long to return in the caller-supplied buffer,
truncate it to fit per the description of the app_response method in
third_party/pdfium/fpdfsdk/include/fpdfformfill.h

BUG=397834

Review URL: https://codereview.chromium.org/424883002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@286323 0039d316-1c4b-4281-b951-d872f2087c98
---
 pdf/pdfium/pdfium_engine.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pdf/pdfium/pdfium_engine.cc b/pdf/pdfium/pdfium_engine.cc
index d87b6db..e8c164b 100644
--- a/pdf/pdfium/pdfium_engine.cc
+++ b/pdf/pdfium/pdfium_engine.cc
@@ -3071,8 +3071,10 @@ int PDFiumEngine::Form_Response(IPDF_JSPLATFORM* param,
   std::string rv = engine->client_->Prompt(question_str, default_str);
   base::string16 rv_16 = base::UTF8ToUTF16(rv);
   int rv_bytes = rv_16.size() * sizeof(base::char16);
-  if (response && rv_bytes <= length)
-    memcpy(response, rv_16.c_str(), rv_bytes);
+  if (response) {
+    int bytes_to_copy = rv_bytes < length ? rv_bytes : length;
+    memcpy(response, rv_16.c_str(), bytes_to_copy);
+  }
   return rv_bytes;
 }
 
-- 
cgit v1.1