Fix heap-use-after-free in V8::Initialize()

fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "fpdfsdk/include/fsdk_define.h"
 #include "fpdfsdk/include/fpdfxfa/fpdfxfa_doc.h"
 #include "fpdfsdk/include/fsdk_mgr.h"
 #include "fpdfsdk/include/fpdfxfa/fpdfxfa_app.h"
@@ skipping 1091 matching lines @@
       srcURL = srcURL.Right(csURL.GetLength() - (pos + 1));
   }
   csToAddress.Replace(L",", L";");
   csCCAddress.Replace(L",", L";");
   csBCCAddress.Replace(L",", L";");
   return TRUE;
 }
 
 FX_BOOL CPDFXFA_Document::_SubmitData(IXFA_Doc* hDoc, CXFA_Submit submit) {
 #ifdef PDF_ENABLE_XFA
+  CPDFDoc_Environment* pEnv = m_pSDKDoc->GetEnv();
+  if (!pEnv)
+    return FALSE;
   CFX_WideStringC csURLC;
   submit.GetSubmitTarget(csURLC);
   CFX_WideString csURL = csURLC;
-  CPDFDoc_Environment* pEnv = m_pSDKDoc->GetEnv();
-  if (pEnv == NULL)
-    return FALSE;
   if (csURL.IsEmpty()) {
     CFX_WideString ws;
     ws.FromLocal("Submit cancelled.");
     CFX_ByteString bs = ws.UTF16LE_Encode();
     int len = bs.GetLength() / sizeof(unsigned short);
     pEnv->FFI_Alert((FPDF_WIDESTRING)bs.GetBuffer(len * sizeof(unsigned short)),
                     (FPDF_WIDESTRING)L"", 0, 4);
     bs.ReleaseBuffer(len * sizeof(unsigned short));
     return FALSE;
   }
-
   FPDF_BOOL bRet = TRUE;
-  FPDF_FILEHANDLER* pFileHandler = NULL;
+  FPDF_FILEHANDLER* pFileHandler = nullptr;
   int fileFlag = -1;
-
-  if (submit.GetSubmitFormat() == XFA_ATTRIBUTEENUM_Xdp) {
-    CFX_WideStringC csContentC;
-    submit.GetSubmitXDPContent(csContentC);
-    CFX_WideString csContent;
-    csContent = csContentC.GetPtr();

[jun_fang, 2016/02/02 12:06:09]

Here is the crashed point. 

FXSYS_wcslen was used to get the length of string. However, it relies
on whether the ending chars are "\0\0".  

const CFX_WideString& CFX_WideString::operator=(const FX_WCHAR* lpsz) {
  if (!lpsz || lpsz[0] == 0) {
    Empty();
  } else {
    AssignCopy(FXSYS_wcslen(lpsz), lpsz);
  }
  return *this;
}

-    csContent.TrimLeft();
-    csContent.TrimRight();
-    CFX_WideString space;
-    space.FromLocal(" ");
-    csContent = space + csContent + space;
-    FPDF_DWORD flag = 0;
-    if (submit.IsSubmitEmbedPDF())
-      flag |= FXFA_PDF;
-    _ToXFAContentFlags(csContent, flag);
-    pFileHandler = pEnv->FFI_OpenFile(FXFA_SAVEAS_XDP, NULL, "wb");
-    fileFlag = FXFA_SAVEAS_XDP;
-    _ExportSubmitFile(pFileHandler, FXFA_SAVEAS_XDP, 0, flag);
-  } else if (submit.GetSubmitFormat() == XFA_ATTRIBUTEENUM_Xml) {
-    pFileHandler = pEnv->FFI_OpenFile(FXFA_SAVEAS_XML, NULL, "wb");
-    fileFlag = FXFA_SAVEAS_XML;
-    _ExportSubmitFile(pFileHandler, FXFA_SAVEAS_XML, 0);
-  } else if (submit.GetSubmitFormat() == XFA_ATTRIBUTEENUM_Pdf) {
-    // csfilename = csDocName;
-  } else if (submit.GetSubmitFormat() == XFA_ATTRIBUTEENUM_Formdata) {
-    return FALSE;
-  } else if (submit.GetSubmitFormat() == XFA_ATTRIBUTEENUM_Urlencoded) {
-    pFileHandler = pEnv->FFI_OpenFile(FXFA_SAVEAS_XML, NULL, "wb");
-    fileFlag = FXFA_SAVEAS_XML;
-    _ExportSubmitFile(pFileHandler, FXFA_SAVEAS_XML, 0);
-  } else if (submit.GetSubmitFormat() == XFA_ATTRIBUTEENUM_Xfd) {
-    return FALSE;
-  } else {
-    return FALSE;
+  switch (submit.GetSubmitFormat()) {
+    case XFA_ATTRIBUTEENUM_Xdp: {
+      CFX_WideStringC csContentC;
+      submit.GetSubmitXDPContent(csContentC);
+      CFX_WideString csContent;
+      csContent = csContentC;
+      csContent.TrimLeft();
+      csContent.TrimRight();
+      CFX_WideString space;
+      space.FromLocal(" ");
+      csContent = space + csContent + space;
+      FPDF_DWORD flag = 0;
+      if (submit.IsSubmitEmbedPDF())
+        flag |= FXFA_PDF;
+      _ToXFAContentFlags(csContent, flag);
+      pFileHandler = pEnv->FFI_OpenFile(FXFA_SAVEAS_XDP, nullptr, "wb");
+      fileFlag = FXFA_SAVEAS_XDP;
+      _ExportSubmitFile(pFileHandler, FXFA_SAVEAS_XDP, 0, flag);
+      break;
+    }
+    case XFA_ATTRIBUTEENUM_Xml:
+      pFileHandler = pEnv->FFI_OpenFile(FXFA_SAVEAS_XML, nullptr, "wb");
+      fileFlag = FXFA_SAVEAS_XML;
+      _ExportSubmitFile(pFileHandler, FXFA_SAVEAS_XML, 0);
+      break;
+    case XFA_ATTRIBUTEENUM_Pdf:
+      break;
+    case XFA_ATTRIBUTEENUM_Urlencoded:
+      pFileHandler = pEnv->FFI_OpenFile(FXFA_SAVEAS_XML, nullptr, "wb");
+      fileFlag = FXFA_SAVEAS_XML;
+      _ExportSubmitFile(pFileHandler, FXFA_SAVEAS_XML, 0);
+      break;
+    default:
+      return false;
   }
-  if (pFileHandler == NULL)
+  if (!pFileHandler)
     return FALSE;
   if (0 == csURL.Left(7).CompareNoCase(L"mailto:")) {
     CFX_WideString csToAddress;
     CFX_WideString csCCAddress;
     CFX_WideString csBCCAddress;
     CFX_WideString csSubject;
     CFX_WideString csMsg;
-
     bRet = _MailToInfo(csURL, csToAddress, csCCAddress, csBCCAddress, csSubject,
                        csMsg);
-    if (FALSE == bRet)
+    if (!bRet)
       return FALSE;
-
     CFX_ByteString bsTo = CFX_WideString(csToAddress).UTF16LE_Encode();
     CFX_ByteString bsCC = CFX_WideString(csCCAddress).UTF16LE_Encode();
     CFX_ByteString bsBcc = CFX_WideString(csBCCAddress).UTF16LE_Encode();
     CFX_ByteString bsSubject = CFX_WideString(csSubject).UTF16LE_Encode();
     CFX_ByteString bsMsg = CFX_WideString(csMsg).UTF16LE_Encode();
-
     FPDF_WIDESTRING pTo = (FPDF_WIDESTRING)bsTo.GetBuffer(bsTo.GetLength());
     FPDF_WIDESTRING pCC = (FPDF_WIDESTRING)bsCC.GetBuffer(bsCC.GetLength());
     FPDF_WIDESTRING pBcc = (FPDF_WIDESTRING)bsBcc.GetBuffer(bsBcc.GetLength());
     FPDF_WIDESTRING pSubject =
         (FPDF_WIDESTRING)bsSubject.GetBuffer(bsSubject.GetLength());
     FPDF_WIDESTRING pMsg = (FPDF_WIDESTRING)bsMsg.GetBuffer(bsMsg.GetLength());
-
     pEnv->FFI_EmailTo(pFileHandler, pTo, pSubject, pCC, pBcc, pMsg);
     bsTo.ReleaseBuffer();
     bsCC.ReleaseBuffer();
     bsBcc.ReleaseBuffer();
     bsSubject.ReleaseBuffer();
     bsMsg.ReleaseBuffer();
   } else {
     // http¡¢ftp
     CFX_WideString ws;
     CFX_ByteString bs = csURL.UTF16LE_Encode();
     int len = bs.GetLength() / sizeof(unsigned short);
     pEnv->FFI_UploadTo(
         pFileHandler, fileFlag,
         (FPDF_WIDESTRING)bs.GetBuffer(len * sizeof(unsigned short)));
     bs.ReleaseBuffer(len * sizeof(unsigned short));
   }
-
   return bRet;
 #else
   return TRUE;
 #endif
 }
 
 FX_BOOL CPDFXFA_Document::SetGlobalProperty(IXFA_Doc* hDoc,
                                             const CFX_ByteStringC& szPropName,
                                             FXJSE_HVALUE hValue) {
   if (hDoc != m_pXFADoc)
@@ skipping 35 matching lines @@
   }
 
   return _GetHValueByName(szPropName, hValue,
                           m_pSDKDoc->GetEnv()->GetJSRuntime());
 }
 FX_BOOL CPDFXFA_Document::_GetHValueByName(const CFX_ByteStringC& utf8Name,
                                            FXJSE_HVALUE hValue,
                                            IJS_Runtime* runTime) {
   return runTime->GetHValueByName(utf8Name, hValue);
 }