From c9d6d68e9b91a0373d8aac42cdde5dac1925ec42 Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Tue, 29 Aug 2017 12:21:32 -0400
Subject: Fix incorrectly guarded lexer advancement in FormCalc parser

BUG=chromium:752501

Change-Id: Ie9943cd80a4afa73ad9393c8bcd2aa2656a9d932
Reviewed-on: https://pdfium-review.googlesource.com/12290
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 xfa/fxfa/fm2js/cxfa_fmparser.cpp          | 2 +-
 xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/xfa/fxfa/fm2js/cxfa_fmparser.cpp b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
index 2981a4dd84..18c37c5b6a 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser.cpp
@@ -814,7 +814,7 @@ std::unique_ptr<CXFA_FMSimpleExpression> CXFA_FMParser::ParsePostExpression(
         }
         CFX_WideStringC tempStr = m_token->m_string;
         uint32_t tempLine = m_token->m_line_num;
-        if (NextToken())
+        if (!NextToken())
           return nullptr;
         if (m_token->m_type != TOKlbracket) {
           std::unique_ptr<CXFA_FMSimpleExpression> s =
diff --git a/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp b/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
index 214fd4aec3..4a17067087 100644
--- a/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
@@ -114,3 +114,12 @@ TEST(CXFA_FMParserTest, MaxParseDepth) {
   EXPECT_EQ(nullptr, parser->Parse());
   EXPECT_TRUE(parser->HasError());
 }
+
+TEST(CFXA_FMParserTest, chromium752201) {
+  auto parser = pdfium::MakeUnique<CXFA_FMParser>(
+      L"fTep a\n"
+      L".#\n"
+      L"fo@ =[=l");
+  EXPECT_EQ(nullptr, parser->Parse());
+  EXPECT_TRUE(parser->HasError());
+}
-- 
cgit v1.2.3