[xfa] Verify field count before accessing

When processing items for layout it's possible for the iBlockIndex*3
value could be larger then the field split count. If this is the case
we'll walk off the end of the split array.

This CL verifys that we have enough data before attempting to walk the
splits and returns early if we don't have enough data.

Bug: chromium:837585
Change-Id: I534298b4ee354ce079442d893202f811431155a0
Reviewed-on: https://pdfium-review.googlesource.com/32051
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>

1 files changed, 3 insertions, 0 deletions

diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp
index fef6caeb75..e2bde5ca00 100644
--- a/xfa/fxfa/parser/cxfa_node.cpp
+++ b/xfa/fxfa/parser/cxfa_node.cpp
@@ -3223,6 +3223,9 @@ bool CXFA_Node::FindSplitPos(CXFA_FFDocView* docView,
   }
   std::vector<float>* pFieldArray = &pFieldData->m_FieldSplitArray;
   int32_t iFieldSplitCount = pdfium::CollectionSize<int32_t>(*pFieldArray);
+  if (iFieldSplitCount < (iBlockIndex * 3))
+    return false;
+
   for (int32_t i = 0; i < iBlockIndex * 3; i += 3) {
     iLinesCount -= (int32_t)(*pFieldArray)[i + 1];
     fHeight -= (*pFieldArray)[i + 2];