From 749b609d11e855edf0aefdacbe4f81bb73d8d0d0 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Wed, 7 Mar 2018 18:48:37 +0000
Subject: [formcalc] Handle bad elseif conditionals

This Cl adds checking for the conditionals of if and elseif expressions.
If the conditional fails to parse we should return nullptr. This already
happens by accident in the if() case, but with elseif() conditions we'll
fail the ASSERT in the CXFA_FMIfExpression constructor and crash.

This CL explicitly checks for the expressions and early exists if they
failed to parse.

Bug: chromium:819509
Change-Id: I9a90182c7709c8c4c0d3ae17d6be67cb668c0c6a
Reviewed-on: https://pdfium-review.googlesource.com/28131
Commit-Queue: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 xfa/fxfa/fm2js/cxfa_fmparser.cpp          |  5 +++++
 xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index f000066a19..20e0fa6d1c 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -911,6 +911,8 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseIfExpression() {
     return nullptr;
 
   std::unique_ptr<CXFA_FMSimpleExpression> pCondition = ParseParenExpression();
+  if (!pCondition)
+    return nullptr;
   if (!CheckThenNext(TOKthen))
     return nullptr;
 
@@ -923,6 +925,8 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseIfExpression() {
       return nullptr;
 
     auto elseIfCondition = ParseParenExpression();
+    if (!elseIfCondition)
+      return nullptr;
     if (!CheckThenNext(TOKthen))
       return nullptr;
 
@@ -969,6 +973,7 @@ std::unique_ptr<CXFA_FMExpression> CXFA_FMParser::ParseWhileExpression() {
       std::move(pCondition),
       pdfium::MakeUnique<CXFA_FMBlockExpression>(std::move(exprs)));
 }
+
 // For := 'for' Assignment 'upto' Accessor ('step' SimpleExpression)?
 //            'do' ExpressionList 'endfor' |
 //         'for' Assignment 'downto' Accessor ('step' SimpleExpression)?
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp b/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
index 52de964f65..5ee27b189e 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
@@ -218,3 +218,23 @@ TEST(CXFA_FMParserTest, ParseFuncWithBadParamsList) {
   ASSERT_TRUE(ast == nullptr);
   EXPECT_TRUE(parser->HasError());
 }
+
+TEST(CXFA_FMParserTest, ParseBadIfExpression) {
+  const wchar_t input[] = {L"if ( then"};
+
+  auto parser = pdfium::MakeUnique<CXFA_FMParser>(input);
+  std::unique_ptr<CXFA_FMAST> ast = parser->Parse();
+  ASSERT_TRUE(ast == nullptr);
+  EXPECT_TRUE(parser->HasError());
+}
+
+TEST(CXFA_FMParserTest, ParseBadElseIfExpression) {
+  const wchar_t input[] = {
+      L"if ($ ne -1) then\n"
+      L"elseif( then"};
+
+  auto parser = pdfium::MakeUnique<CXFA_FMParser>(input);
+  std::unique_ptr<CXFA_FMAST> ast = parser->Parse();
+  ASSERT_TRUE(ast == nullptr);
+  EXPECT_TRUE(parser->HasError());
+}
-- 
cgit v1.2.3