Fix read past end of buffer bug in clipboard logic.

CF_HTML formatted strings aren't always null-terminated, so the explicitly provided size should be used. BUG=790697 Change-Id: Ieaef24625f42aaa9b6c452b3484fe99354e821e3 Reviewed-on: https://chromium-review.googlesource.com/803798 Commit-Queue: Chris Hamilton <chrisha@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#523217}

Fix read past end of buffer bug in clipboard logic.
CF_HTML formatted strings aren't always null-terminated, so the explicitly provided size should be used. BUG=790697 Change-Id: Ieaef24625f42aaa9b6c452b3484fe99354e821e3 Reviewed-on: https://chromium-review.googlesource.com/803798 Commit-Queue: Chris Hamilton <chrisha@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#523217}
071b6f49 · Chris Hamilton · Commit Bot · f579c56a · 071b6f49
Commit 071b6f49 authored Dec 11, 2017 by Chris Hamilton Committed by Commit Bot Dec 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 4 deletions

ui/base/clipboard/clipboard_win.cc ui/base/clipboard/clipboard_win.cc +22 -4

No files found.
--- a/ui/base/clipboard/clipboard_win.cc
+++ b/ui/base/clipboard/clipboard_win.cc
@@ -207,6 +207,15 @@ void FreeData(unsigned int format, HANDLE data) {
    ::GlobalFree(data);
 }

+template <typename StringType>
+void TrimTrailingNulls(StringType* result) {
+  // Text copied to the clipboard may explicitly contain trailing null
+  // characters that should be ignored, depending on the application that does
+  // the copying.
+  while (!result->empty() && result->back() == 0)
+    result->pop_back();
+}
+
 }  // namespace

 // Clipboard::FormatType implementation.
@@ -493,8 +502,10 @@ void ClipboardWin::ReadText(ClipboardType type, base::string16* result) const {
  if (!data)
    return;

-  result->assign(static_cast<const base::char16*>(::GlobalLock(data)));
+  result->assign(static_cast<const base::char16*>(::GlobalLock(data)),
+                 ::GlobalSize(data) / sizeof(base::char16));
  ::GlobalUnlock(data);
+  TrimTrailingNulls(result);
 }

 void ClipboardWin::ReadAsciiText(ClipboardType type,
@@ -516,8 +527,10 @@ void ClipboardWin::ReadAsciiText(ClipboardType type,
  if (!data)
    return;

-  result->assign(static_cast<const char*>(::GlobalLock(data)));
+  result->assign(static_cast<const char*>(::GlobalLock(data)),
+                 ::GlobalSize(data));
  ::GlobalUnlock(data);
+  TrimTrailingNulls(result);
 }

 void ClipboardWin::ReadHTML(ClipboardType type,
@@ -544,8 +557,10 @@ void ClipboardWin::ReadHTML(ClipboardType type,
  if (!data)
    return;

-  std::string cf_html(static_cast<const char*>(::GlobalLock(data)));
+  std::string cf_html(static_cast<const char*>(::GlobalLock(data)),
+                      ::GlobalSize(data));
  ::GlobalUnlock(data);
+  TrimTrailingNulls(&cf_html);

  size_t html_start = std::string::npos;
  size_t start_index = std::string::npos;
@@ -578,6 +593,7 @@ void ClipboardWin::ReadRTF(ClipboardType type, std::string* result) const {
  DCHECK_EQ(type, CLIPBOARD_TYPE_COPY_PASTE);

  ReadData(GetRtfFormatType(), result);
+  TrimTrailingNulls(result);
 }

 SkBitmap ClipboardWin::ReadImage(ClipboardType type) const {
@@ -697,8 +713,10 @@ void ClipboardWin::ReadBookmark(base::string16* title, std::string* url) const {
  if (!data)
    return;

-  base::string16 bookmark(static_cast<const base::char16*>(::GlobalLock(data)));
+  base::string16 bookmark(static_cast<const base::char16*>(::GlobalLock(data)),
+                          ::GlobalSize(data) / sizeof(base::char16));
  ::GlobalUnlock(data);
+  TrimTrailingNulls(&bookmark);

  ParseBookmarkClipboardFormat(bookmark, title, url);
 }