From c5c0eebe863bb4fad86b43f62fa81d89f07c9011 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Thu, 3 May 2018 18:20:53 +0000
Subject: [xfa] Verify field count before accessing

When processing items for layout it's possible for the iBlockIndex*3
value could be larger then the field split count. If this is the case
we'll walk off the end of the split array.

This CL verifys that we have enough data before attempting to walk the
splits and returns early if we don't have enough data.

Bug: chromium:837585
Change-Id: I534298b4ee354ce079442d893202f811431155a0
Reviewed-on: https://pdfium-review.googlesource.com/32051
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 xfa/fxfa/parser/cxfa_node.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp
index fef6caeb75..e2bde5ca00 100644
--- a/xfa/fxfa/parser/cxfa_node.cpp
+++ b/xfa/fxfa/parser/cxfa_node.cpp
@@ -3223,6 +3223,9 @@ bool CXFA_Node::FindSplitPos(CXFA_FFDocView* docView,
   }
   std::vector<float>* pFieldArray = &pFieldData->m_FieldSplitArray;
   int32_t iFieldSplitCount = pdfium::CollectionSize<int32_t>(*pFieldArray);
+  if (iFieldSplitCount < (iBlockIndex * 3))
+    return false;
+
   for (int32_t i = 0; i < iBlockIndex * 3; i += 3) {
     iLinesCount -= (int32_t)(*pFieldArray)[i + 1];
     fHeight -= (*pFieldArray)[i + 2];
-- 
cgit v1.2.3