Ensure ClipboardWin::ReadHTML does not crash on embedded nulls

ui/base/clipboard/clipboard_win.cc

Index: ui/base/clipboard/clipboard_win.cc
diff --git a/ui/base/clipboard/clipboard_win.cc b/ui/base/clipboard/clipboard_win.cc
index ae892c9c0faa8b985aaeb342fb0e018fd5b852e4..cb28043e34bfdbd37fc100555071dc51c5808dad 100644
--- a/ui/base/clipboard/clipboard_win.cc
+++ b/ui/base/clipboard/clipboard_win.cc
@@ -568,8 +568,13 @@ void ClipboardWin::ReadHTML(ClipboardType type,
   offsets.push_back(end_index - html_start);
   markup->assign(base::UTF8ToUTF16AndAdjustOffsets(cf_html.data() + html_start,
                                                    &offsets));
-  *fragment_start = base::checked_cast<uint32_t>(offsets[0]);
-  *fragment_end = base::checked_cast<uint32_t>(offsets[1]);
+  // Ensure the Fragment points within the string; see https://crbug.com/607181.
+  size_t markup_end = markup->length();
+  *fragment_end =
+      base::checked_cast<uint32_t>(std::min(offsets[1], markup_end));
+  *fragment_start =
+      std::min(*fragment_end,
+               base::checked_cast<uint32_t>(std::min(offsets[0], markup_end)));

[dcheng, 2017/04/26 15:19:10]

Nit: I think that if one were to be clever, that this could be shortened to:

*fragment_start =
    base::checked_cast<uint32_t>(std::min(offsets[0], *fragment_end));

As fragment_end is <= markup_end by definition.

[elawrence, 2017/04/26 15:33:44]

Yeah, I'd had it that way originally, but clang won't compile it because "could
not deduce template argument". It requires a cast so the second argument is the
same type as the first, so I've made that change.

 }
 
 void ClipboardWin::ReadRTF(ClipboardType type, std::string* result) const {