2 files changed, 11 insertions, 6 deletions

diff --git a/fxjs/cfxjse_formcalc_context.cpp b/fxjs/cfxjse_formcalc_context.cpp
index 3ed8a78da3..15401a010e 100644
--- a/fxjs/cfxjse_formcalc_context.cpp
+++ b/fxjs/cfxjse_formcalc_context.cpp
@@ -3891,17 +3891,12 @@ void CFXJSE_FormCalcContext::Lower(CFXJSE_Value* pThis,
   CFX_WideTextBuf lowStringBuf;
   ByteString argString = ValueToUTF8String(argOne.get());
   WideString wsArgString = WideString::FromUTF8(argString.AsStringView());
-  const wchar_t* pData = wsArgString.c_str();
-  size_t i = 0;
-  while (i < argString.GetLength()) {
-    int32_t ch = pData[i];
+  for (auto ch : wsArgString) {
     if ((ch >= 0x41 && ch <= 0x5A) || (ch >= 0xC0 && ch <= 0xDE))
       ch += 32;
     else if (ch == 0x100 || ch == 0x102 || ch == 0x104)
       ch += 1;
-
     lowStringBuf.AppendChar(ch);
-    ++i;
   }
   lowStringBuf.AppendChar(0);
 
diff --git a/fxjs/cfxjse_formcalc_context_embeddertest.cpp b/fxjs/cfxjse_formcalc_context_embeddertest.cpp
index 58cb34b6d9..22e6b25afc 100644
--- a/fxjs/cfxjse_formcalc_context_embeddertest.cpp
+++ b/fxjs/cfxjse_formcalc_context_embeddertest.cpp
@@ -1176,6 +1176,16 @@ TEST_F(CFXJSE_FormCalcContextEmbedderTest, Lower) {
   }
 }
 
+// This is testing for an OOB read, so will likely only fail under ASAN.
+TEST_F(CFXJSE_FormCalcContextEmbedderTest, bug_854623) {
+  ASSERT_TRUE(OpenDocument("simple_xfa.pdf"));
+
+  const uint8_t test_string[] = {
+      0x4c, 0x6f, 0x77, 0x65, 0x72, 0x28, 0x22, 0xc3,
+      0x85, 0xc3, 0x85, 0xc3, 0x85, 0x22, 0x29};  // Lower("ÅÅÅ")
+  Execute(ByteString(test_string, sizeof(test_string)).AsStringView());
+}
+
 TEST_F(CFXJSE_FormCalcContextEmbedderTest, Ltrim) {
   ASSERT_TRUE(OpenDocument("simple_xfa.pdf"));