From a0377dc31bccf0e3427bd94fab5fed17c1283098 Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Tue, 15 Aug 2017 11:04:37 -0400
Subject: Add checks on length of string before accessing elements of string

BUG=chromium:754982

Change-Id: I41da6828c714d3ed12fe796ae7e228d87b168962
Reviewed-on: https://pdfium-review.googlesource.com/10890
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 xfa/fxfa/parser/cxfa_resolveprocessor.cpp | 34 ++++++++++++++++---------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/xfa/fxfa/parser/cxfa_resolveprocessor.cpp b/xfa/fxfa/parser/cxfa_resolveprocessor.cpp
index 9edb3bce81..fe4605b4f0 100644
--- a/xfa/fxfa/parser/cxfa_resolveprocessor.cpp
+++ b/xfa/fxfa/parser/cxfa_resolveprocessor.cpp
@@ -41,21 +41,23 @@ int32_t CXFA_ResolveProcessor::Resolve(CXFA_ResolveNodesData& rnd) {
   if (rnd.m_dwStyles & XFA_RESOLVENODE_AnyChild) {
     return ResolveAnyChild(rnd);
   }
-  wchar_t wch = rnd.m_wsName[0];
-  switch (wch) {
-    case '$':
-      return ResolveDollar(rnd);
-    case '!':
-      return ResolveExcalmatory(rnd);
-    case '#':
-      return ResolveNumberSign(rnd);
-    case '*':
-      return ResolveAsterisk(rnd);
-    // TODO(dsinclair): We could probably remove this.
-    case '.':
-      return ResolveAnyChild(rnd);
-    default:
-      break;
+  if (rnd.m_wsName.GetLength()) {
+    wchar_t wch = rnd.m_wsName[0];
+    switch (wch) {
+      case '$':
+        return ResolveDollar(rnd);
+      case '!':
+        return ResolveExcalmatory(rnd);
+      case '#':
+        return ResolveNumberSign(rnd);
+      case '*':
+        return ResolveAsterisk(rnd);
+      // TODO(dsinclair): We could probably remove this.
+      case '.':
+        return ResolveAnyChild(rnd);
+      default:
+        break;
+    }
   }
   if (rnd.m_uHashName == XFA_HASHCODE_This && rnd.m_nLevel == 0) {
     rnd.m_Objects.push_back(rnd.m_pSC->GetThisObject());
@@ -89,7 +91,7 @@ int32_t CXFA_ResolveProcessor::ResolveAnyChild(CXFA_ResolveNodesData& rnd) {
   CFX_WideString wsCondition = rnd.m_wsCondition;
   CXFA_Node* findNode = nullptr;
   bool bClassName = false;
-  if (wsName[0] == '#') {
+  if (wsName.GetLength() && wsName[0] == '#') {
     bClassName = true;
     wsName = wsName.Right(wsName.GetLength() - 1);
   }
-- 
cgit v1.2.3