Memory allocation for WriteInto is not proper.

Memory for WriteInto() should be greater than the url length,
As in the WriteInto() it reserve the memory of size 'length_with_null'
and then resize it to "length_with_null-1'
Chnage done to give memory 1 greater than the url length size.

BUG=417732

Review URL: https://codereview.chromium.org/599373003

Cr-Commit-Position: refs/heads/master@{#297102}

pdf/pdfium/pdfium_engine.cc

@@ -3394,8 +3394,8 @@ bool PDFiumEngineExports::RenderPDFPageToDC(const void* pdf_buffer,
   base::string16 creator;
   size_t buffer_bytes = FPDF_GetMetaText(doc, "Creator", NULL, 0);
   if (buffer_bytes > 1) {
-    FPDF_GetMetaText(doc, "Creator", WriteInto(&creator, buffer_bytes),
-                     buffer_bytes);
+    FPDF_GetMetaText(
+        doc, "Creator", WriteInto(&creator, buffer_bytes + 1), buffer_bytes);
   }
   bool use_bitmap = false;
   if (StartsWith(creator, L"cairo", false))

pdf/pdfium/pdfium_page.cc

@@ -305,7 +305,7 @@ PDFiumPage::Area PDFiumPage::GetLinkTarget(
             size_t buffer_size =
                 FPDFAction_GetURIPath(engine_->doc(), action, NULL, 0);
             if (buffer_size > 1) {
-              void* data = WriteInto(&target->url, buffer_size);
+              void* data = WriteInto(&target->url, buffer_size + 1);
               FPDFAction_GetURIPath(engine_->doc(), action, data, buffer_size);
             }
           }
@@ -389,7 +389,7 @@ void PDFiumPage::CalculateLinks() {
     int url_length = FPDFLink_GetURL(links, i, NULL, 0);
     if (url_length > 1) {  // WriteInto needs at least 2 characters.
       unsigned short* data =
-          reinterpret_cast<unsigned short*>(WriteInto(&url, url_length));
+          reinterpret_cast<unsigned short*>(WriteInto(&url, url_length + 1));
       FPDFLink_GetURL(links, i, data, url_length);
     }
     Link link;