From 5fbb98122c59d4bf0c830ee352ad4769d2decebf Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Thu, 28 Jun 2018 20:55:54 +0000
Subject: Fix logic error in CJX_InstanceManager::count()

Calling the Setter when the Getter was intended results in a segv
when accessing the empty return value.

Bug: 353450
Change-Id: If3d35de1c5e2a24d11690fd323253f1103ee9ab5
Reviewed-on: https://pdfium-review.googlesource.com/36431
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 fxjs/xfa/cjx_instancemanager.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fxjs/xfa/cjx_instancemanager.cpp b/fxjs/xfa/cjx_instancemanager.cpp
index d9471cd253..f44ccba588 100644
--- a/fxjs/xfa/cjx_instancemanager.cpp
+++ b/fxjs/xfa/cjx_instancemanager.cpp
@@ -320,8 +320,8 @@ void CJX_InstanceManager::count(CFXJSE_Value* pValue,
                                 bool bSetting,
                                 XFA_Attribute eAttribute) {
   if (bSetting) {
-    pValue->SetInteger(GetXFANode()->GetCount());
+    SetInstances(pValue->ToInteger());
     return;
   }
-  SetInstances(pValue->ToInteger());
+  pValue->SetInteger(GetXFANode()->GetCount());
 }
-- 
cgit v1.2.3