Bug 1513201 - Handle pasted data of certain types with an odd length. r=mats, a=RyanVM
authorAlex Gaynor <agaynor@mozilla.com>
Wed, 12 Dec 2018 17:34:27 +0000
changeset 509039 3ebfb70bbd0bd65cb4ab8b7ed1bb3a4e43af3fa6
parent 509038 4c0ab314be9af3ed0e57b59ca1bf3c76442796ee
child 509040 d2c26e2f11646f98fa28c8047b9d98b0e97b7399
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmats, RyanVM
bugs1513201
milestone65.0
Bug 1513201 - Handle pasted data of certain types with an odd length. r=mats, a=RyanVM Differential Revision: https://phabricator.services.mozilla.com/D14150
widget/windows/nsClipboard.cpp
--- a/widget/windows/nsClipboard.cpp
+++ b/widget/windows/nsClipboard.cpp
@@ -275,26 +275,28 @@ NS_IMETHODIMP nsClipboard::SetNativeClip
   return NS_OK;
 }
 
 //-------------------------------------------------------------------------
 nsresult nsClipboard::GetGlobalData(HGLOBAL aHGBL, void** aData,
                                     uint32_t* aLen) {
   // Allocate a new memory buffer and copy the data from global memory.
   // Recall that win98 allocates to nearest DWORD boundary. As a safety
-  // precaution, allocate an extra 2 bytes (but don't report them!) and
-  // null them out to ensure that all of our strlen calls will succeed.
+  // precaution, allocate an extra 3 bytes (but don't report them in |aLen|!)
+  // and null them out to ensure that all of our NS_strlen calls will succeed.
+  // NS_strlen operates on char16_t, so we need 3 NUL bytes to ensure it finds
+  // a full NUL char16_t when |*aLen| is odd.
   nsresult result = NS_ERROR_FAILURE;
   if (aHGBL != nullptr) {
     LPSTR lpStr = (LPSTR)GlobalLock(aHGBL);
     DWORD allocSize = GlobalSize(aHGBL);
-    char* data = static_cast<char*>(malloc(allocSize + sizeof(char16_t)));
+    char* data = static_cast<char*>(malloc(allocSize + 3));
     if (data) {
       memcpy(data, lpStr, allocSize);
-      data[allocSize] = data[allocSize + 1] =
+      data[allocSize] = data[allocSize + 1] = data[allocSize + 2] =
           '\0';  // null terminate for safety
 
       GlobalUnlock(aHGBL);
       *aData = data;
       *aLen = allocSize;
 
       result = NS_OK;
     }