Mass convert memset() to FXSYS_memset().

The FXSYS_ form requires callers to specify UNSAFE_BUFFERS(). Most
affected files are already in the pdfium_unsafe_buffers_paths.txt
suppression file. Other usage is hand-patched with TODO()s to
investigate safety.

-- convert one fxcrt::Fill() missed in previous cl.

Change-Id: I354a530da2439de8bbe7edc9a889857c6b8a4150
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/118390
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/core/fxcrt/widestring.cpp b/core/fxcrt/widestring.cpp
index 56dbece1a..944cb825d 100644
--- a/core/fxcrt/widestring.cpp
+++ b/core/fxcrt/widestring.cpp
@@ -267,15 +267,15 @@ std::optional<WideString> TryVSWPrintf(size_t size,
     // Span's lifetime must end before ReleaseBuffer() below.
     pdfium::span<wchar_t> buffer = str.GetBuffer(size);
 
-    // In the following two calls, there's always space in the WideString
-    // for a terminating NUL that's not included in the span.
+    // SAFETY: In the following two calls, there's always space in the
+    // WideString for a terminating NUL that's not included in the span.
     // For vswprintf(), MSAN won't untaint the buffer on a truncated write's
     // -1 return code even though the buffer is written. Probably just as well
     // not to trust the vendor's implementation to write anything anyways.
     // See https://crbug.com/705912.
-    memset(buffer.data(), 0, (size + 1) * sizeof(wchar_t));
+    UNSAFE_BUFFERS(
+        FXSYS_memset(buffer.data(), 0, (size + 1) * sizeof(wchar_t)));
     int ret = vswprintf(buffer.data(), size + 1, pFormat, argList);
-
     bool bSufficientBuffer = ret >= 0 || buffer[size - 1] == 0;
     if (!bSufficientBuffer)
       return std::nullopt;