From 64d81572b36829960001fc34314604f71c6bd50a Mon Sep 17 00:00:00 2001
From: "deepak.m1" <deepak.m1@samsung.com>
Date: Fri, 26 Sep 2014 21:11:24 -0700
Subject: Memory allocation for WriteInto is not proper.

Memory for WriteInto() should be greater than the url length,
As in the WriteInto() it reserve the memory of size 'length_with_null'
and then resize it to "length_with_null-1'
Chnage done to give memory 1 greater than the url length size.

BUG=417732

Review URL: https://codereview.chromium.org/599373003

Cr-Commit-Position: refs/heads/master@{#297102}
---
 pdf/pdfium/pdfium_engine.cc | 4 ++--
 pdf/pdfium/pdfium_page.cc   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'pdf')

diff --git a/pdf/pdfium/pdfium_engine.cc b/pdf/pdfium/pdfium_engine.cc
index 8fe2695..f3ff3cf 100644
--- a/pdf/pdfium/pdfium_engine.cc
+++ b/pdf/pdfium/pdfium_engine.cc
@@ -3394,8 +3394,8 @@ bool PDFiumEngineExports::RenderPDFPageToDC(const void* pdf_buffer,
   base::string16 creator;
   size_t buffer_bytes = FPDF_GetMetaText(doc, "Creator", NULL, 0);
   if (buffer_bytes > 1) {
-    FPDF_GetMetaText(doc, "Creator", WriteInto(&creator, buffer_bytes),
-                     buffer_bytes);
+    FPDF_GetMetaText(
+        doc, "Creator", WriteInto(&creator, buffer_bytes + 1), buffer_bytes);
   }
   bool use_bitmap = false;
   if (StartsWith(creator, L"cairo", false))
diff --git a/pdf/pdfium/pdfium_page.cc b/pdf/pdfium/pdfium_page.cc
index 1f6390c..d8a5dce 100644
--- a/pdf/pdfium/pdfium_page.cc
+++ b/pdf/pdfium/pdfium_page.cc
@@ -305,7 +305,7 @@ PDFiumPage::Area PDFiumPage::GetLinkTarget(
             size_t buffer_size =
                 FPDFAction_GetURIPath(engine_->doc(), action, NULL, 0);
             if (buffer_size > 1) {
-              void* data = WriteInto(&target->url, buffer_size);
+              void* data = WriteInto(&target->url, buffer_size + 1);
               FPDFAction_GetURIPath(engine_->doc(), action, data, buffer_size);
             }
           }
@@ -389,7 +389,7 @@ void PDFiumPage::CalculateLinks() {
     int url_length = FPDFLink_GetURL(links, i, NULL, 0);
     if (url_length > 1) {  // WriteInto needs at least 2 characters.
       unsigned short* data =
-          reinterpret_cast<unsigned short*>(WriteInto(&url, url_length));
+          reinterpret_cast<unsigned short*>(WriteInto(&url, url_length + 1));
       FPDFLink_GetURL(links, i, data, url_length);
     }
     Link link;
-- 
cgit v1.1