From ecca90acee62366e6603a26b0c21a8bce2b97bd9 Mon Sep 17 00:00:00 2001
From: Mark Rogers <mark.rogers@powermapper.com>
Date: Fri, 7 Apr 2017 16:10:51 +0100
Subject: [PATCH] PoDoFo: fix CVE-2917-7378 - out by one buffer read in
 PdfPainterExpandTabs

---
 Electrum/Mapper/Libs/podofo/src/doc/PdfPainter.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Electrum/Mapper/Libs/podofo/src/doc/PdfPainter.cpp b/Electrum/Mapper/Libs/podofo/src/doc/PdfPainter.cpp
index fb81d98..9d85880 100644
--- a/Electrum/Mapper/Libs/podofo/src/doc/PdfPainter.cpp
+++ b/Electrum/Mapper/Libs/podofo/src/doc/PdfPainter.cpp
@@ -1941,16 +1941,18 @@ PdfString PdfPainter::ExpandTabs( const PdfString & rsString, pdf_long lStringLe
     const pdf_utf16be cTab     = 0x0900;
     const pdf_utf16be cSpace   = 0x2000;
 
+    // CVE-2017-7378 - fixed out-by-one buffer read caused by using
+    // i <= lStringLen instead of i < lStringLen 
     // count the number of tabs in the string
     if( bUnicode ) 
     {
-        for( i=0;i<=lStringLen;i++ )
+        for( i = 0; i < lStringLen; i++ )
             if( rsString.GetUnicode()[i] == cTab ) 
                 ++nTabCnt;
     }
     else
     {
-        for( i=0;i<=lStringLen;i++ )
+        for( i = 0; i < lStringLen; i++ )
             if( rsString.GetString()[i] == '\t' )
                 ++nTabCnt;
     }
-- 
2.2.1