XFA: bound memcpy length in _png_load_bmp_attribute()
authorTom Sepez <tsepez@chromium.org>
Wed, 11 Mar 2015 21:41:17 +0000 (14:41 -0700)
committerTom Sepez <tsepez@chromium.org>
Wed, 11 Mar 2015 21:41:17 +0000 (14:41 -0700)
BUG=466338
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/997273002

core/src/fxcodec/codec/fx_codec_png.cpp

index 8c26381..ea5ffaf 100644 (file)
@@ -69,8 +69,9 @@ static void _png_load_bmp_attribute(png_structp png_ptr, png_infop info_ptr, CFX
             buf = "Time";\r
             if (!FXSYS_memcmp32(buf, text[i].key, FX_MIN(len, FXSYS_strlen(buf)))) {\r
                 if (!bTime) {\r
-                    FXSYS_memset32(pAttribute->m_strTime, 0, 20);\r
-                    FXSYS_memcpy32(pAttribute->m_strTime, text[i].text, text[i].text_length);\r
+                    FXSYS_memset32(pAttribute->m_strTime, 0, sizeof(pAttribute->m_strTime));\r
+                    FXSYS_memcpy32(pAttribute->m_strTime, text[i].text,\r
+                                   FX_MIN(sizeof(pAttribute->m_strTime) - 1, text[i].text_length));\r
                 }\r
             } else {\r
                 buf = "Author";\r