Fix potential UAF in ConcatInPlace.
authorTom Sepez <tsepez@chromium.org>
Fri, 15 May 2015 15:44:31 +0000 (08:44 -0700)
committerTom Sepez <tsepez@chromium.org>
Fri, 15 May 2015 15:44:31 +0000 (08:44 -0700)
commit7f3b99a6a78e524613337f42a99b5634c0ad05f8
treef13654bc0408c72a056b502d3106fd8e28c616e9
parentb60617f5557a037e64876f7495af80573a35cb4f
Fix potential UAF in ConcatInPlace.

If ConcatCopy somehow gets a zero nNewlen, it returns early, without
allocating a new m_Data.  ConcatInPlace then frees the old one, leaving
m_Data dangling.

Also be concerned about the multiplication in the widestring version.
So use wmemcpy and let the library cope with it.

R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1130763007
core/include/fxcrt/fx_string.h
core/src/fxcrt/fx_basic_bstring.cpp
core/src/fxcrt/fx_basic_bstring_unittest.cpp
core/src/fxcrt/fx_basic_wstring.cpp
core/src/fxcrt/fx_basic_wstring_unittest.cpp