[xfa] Verify field count before accessing

When processing items for layout it's possible for the iBlockIndex*3 value could be larger then the field split count. If this is the case we'll walk off the end of the split array. This CL verifys that we have enough data before attempting to walk the splits and returns early if we don't have enough data. Bug: chromium:837585 Change-Id: I534298b4ee354ce079442d893202f811431155a0 Reviewed-on: https://pdfium-review.googlesource.com/32051 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
author: Dan Sinclair <dsinclair@chromium.org> 2018-05-03 18:20:53 +0000
committer: Chromium commit bot <commit-bot@chromium.org> 2018-05-03 18:20:53 +0000
commit: c5c0eebe863bb4fad86b43f62fa81d89f07c9011 (patch)
tree: c15e79f29e0d37e6e8423e1095dc9c9d18edb66f
parent: 525147a1f6d6cd736a407d1e189ac25d2f4726e8 (diff)
download: pdfium-c5c0eebe863bb4fad86b43f62fa81d89f07c9011.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp
index fef6caeb75..e2bde5ca00 100644
--- a/xfa/fxfa/parser/cxfa_node.cpp
+++ b/xfa/fxfa/parser/cxfa_node.cpp
@@ -3223,6 +3223,9 @@ bool CXFA_Node::FindSplitPos(CXFA_FFDocView* docView,
   }
   std::vector<float>* pFieldArray = &pFieldData->m_FieldSplitArray;
   int32_t iFieldSplitCount = pdfium::CollectionSize<int32_t>(*pFieldArray);
+  if (iFieldSplitCount < (iBlockIndex * 3))
+    return false;
+
   for (int32_t i = 0; i < iBlockIndex * 3; i += 3) {
     iLinesCount -= (int32_t)(*pFieldArray)[i + 1];
     fHeight -= (*pFieldArray)[i + 2];
author	Dan Sinclair <dsinclair@chromium.org>	2018-05-03 18:20:53 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	2018-05-03 18:20:53 +0000
commit	c5c0eebe863bb4fad86b43f62fa81d89f07c9011 (patch)
tree	c15e79f29e0d37e6e8423e1095dc9c9d18edb66f
parent	525147a1f6d6cd736a407d1e189ac25d2f4726e8 (diff)
download	pdfium-c5c0eebe863bb4fad86b43f62fa81d89f07c9011.tar.xz