Fix buffer overrun in PDF accessibility code.
GetTextRunInfo scans until it finds the start of the next text run, then increments the character index by 1 in order to scan to the end of the text run. That was resulting in a buffer ovverun if the first scan reached the end of the array of characters without finding a non-whitespace character. Fix it by ensuring we never increment past the char count. BUG=668724 Review-Url: https://codereview.chromium.org/2650513002 Cr-Commit-Position: refs/heads/master@{#447344}
This commit is contained in:
@ -742,6 +742,21 @@ IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibilityInOOPIF) {
|
||||
ASSERT_MULTILINE_STREQ(kExpectedPDFAXTree, ax_tree_dump);
|
||||
}
|
||||
|
||||
#if defined(GOOGLE_CHROME_BUILD)
|
||||
// Test a particular PDF encountered in the wild that triggered a crash
|
||||
// when accessibility is enabled. (http://crbug.com/668724)
|
||||
IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibilityTextRunCrash) {
|
||||
content::BrowserAccessibilityState::GetInstance()->EnableAccessibility();
|
||||
GURL test_pdf_url(embedded_test_server()->GetURL(
|
||||
"/pdf_private/accessibility_crash_2.pdf"));
|
||||
|
||||
content::WebContents* guest_contents = LoadPdfGetGuestContents(test_pdf_url);
|
||||
ASSERT_TRUE(guest_contents);
|
||||
|
||||
WaitForAccessibilityTreeToContainNodeWithName(guest_contents, "Page 1");
|
||||
}
|
||||
#endif
|
||||
|
||||
IN_PROC_BROWSER_TEST_F(PDFExtensionTest, LinkCtrlLeftClick) {
|
||||
host_resolver()->AddRule("www.example.com", "127.0.0.1");
|
||||
GURL test_pdf_url(embedded_test_server()->GetURL("/pdf/test-link.pdf"));
|
||||
|
@ -180,7 +180,8 @@ void PDFiumPage::GetTextRunInfo(int start_char_index,
|
||||
int text_run_font_size = FPDFText_GetFontSize(text_page, char_index);
|
||||
pp::FloatRect text_run_bounds =
|
||||
GetFloatCharRectInPixels(page, text_page, char_index);
|
||||
char_index++;
|
||||
if (char_index < chars_count)
|
||||
char_index++;
|
||||
while (char_index < chars_count) {
|
||||
unsigned int character = FPDFText_GetUnicode(text_page, char_index);
|
||||
|
||||
|
Reference in New Issue
Block a user