Avoid crashing in FPDFText_CountRects() for invalid start values.

BUG=chromium:821305

Change-Id: I371572f60ea3984ce044e25125d882b3c2d03115
Reviewed-on: https://pdfium-review.googlesource.com/28733
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>

2 files changed, 4 insertions, 2 deletions

diff --git a/core/fpdftext/cpdf_textpage.cpp b/core/fpdftext/cpdf_textpage.cpp
index 7315754919..91cfe8c6c9 100644
--- a/core/fpdftext/cpdf_textpage.cpp
+++ b/core/fpdftext/cpdf_textpage.cpp
@@ -242,8 +242,12 @@ std::vector<CFX_FloatRect> CPDF_TextPage::GetRectArray(int start,
     return rects;
 
   const int nCharListSize = CountChars();
+  if (start >= nCharListSize)
+    return rects;
+
   if (nCount < 0 || start + nCount > nCharListSize)
     nCount = nCharListSize - start;
+  ASSERT(nCount > 0);
 
   CPDF_TextObject* pCurObj = nullptr;
   CFX_FloatRect rect;
diff --git a/fpdfsdk/fpdftext_embeddertest.cpp b/fpdfsdk/fpdftext_embeddertest.cpp
index 0cf10f5106..9d09381d7c 100644
--- a/fpdfsdk/fpdftext_embeddertest.cpp
+++ b/fpdfsdk/fpdftext_embeddertest.cpp
@@ -741,7 +741,6 @@ TEST_F(FPDFTextEmbeddertest, CountRects) {
     EXPECT_EQ(1, FPDFText_CountRects(textpage, start, 500));
   }
 
-#if 0
   // TODO(thestig): This crashes. Fix and enable.
   // Now test start values that starts beyond the end of the text.
   for (int start = kExpectedLength; start < 100; ++start) {
@@ -751,7 +750,6 @@ TEST_F(FPDFTextEmbeddertest, CountRects) {
     EXPECT_EQ(0, FPDFText_CountRects(textpage, start, 2));
     EXPECT_EQ(0, FPDFText_CountRects(textpage, start, 500));
   }
-#endif
 
   FPDFText_ClosePage(textpage);
   UnloadPage(page);