Ensure ClipboardWin::ReadHTML does not crash on embedded nulls

ui/base/clipboard/clipboard_win.cc

Index: ui/base/clipboard/clipboard_win.cc
diff --git a/ui/base/clipboard/clipboard_win.cc b/ui/base/clipboard/clipboard_win.cc
index ae892c9c0faa8b985aaeb342fb0e018fd5b852e4..5e42d993427e9f5f55107f7fc1439ea124b5a4e5 100644
--- a/ui/base/clipboard/clipboard_win.cc
+++ b/ui/base/clipboard/clipboard_win.cc
@@ -569,7 +569,10 @@ void ClipboardWin::ReadHTML(ClipboardType type,
   markup->assign(base::UTF8ToUTF16AndAdjustOffsets(cf_html.data() + html_start,
                                                    &offsets));
   *fragment_start = base::checked_cast<uint32_t>(offsets[0]);
-  *fragment_end = base::checked_cast<uint32_t>(offsets[1]);
+
+  // Ensure EndFragment points within the string; see https://crbug.com/607181.
+  *fragment_end =
+      base::checked_cast<uint32_t>(std::min(offsets[1], markup->length()));

[dcheng, 2017/04/22 08:25:25]

Should we do this for offsets[0] as well?

[elawrence, 2017/04/25 16:20:19]

Embedded nulls (the known repro case) aren't problematic for the fragment_start
value, but in the case of a very malformed CF_HTML, it's certainly possible that
the StartFragment index on the clipboard points outside of
GlobalSize(data)/EndHTML.

To address that, I'll ensure final fragment_start value is <= fragment_end.

[dcheng, 2017/04/26 00:42:08]

Why can't embedded nulls appear before fragment start?

[elawrence, 2017/04/26 15:11:22]

Ah, you're right in the general case. In the case of the client I've been using,
the fragment always contains the entire markup. 

 }
 
 void ClipboardWin::ReadRTF(ClipboardType type, std::string* result) const {