From db6d0600d59654f6e4a55a9e8933157ce03af10a Mon Sep 17 00:00:00 2001 From: Jun Fang Date: Tue, 23 Feb 2016 09:00:16 +0800 Subject: Fix a crasher in CFX_ArrayTemplate::GetAt() BUG=pdfium:406 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1720743003 . --- xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp b/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp index 7e17b77213..ed0836d539 100644 --- a/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp +++ b/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp @@ -1129,17 +1129,15 @@ void CXFA_ItemLayoutProcessor::DoLayoutPositionedContainer( pContext->m_prgSpecifiedColumnWidths->GetSize() - iColIndex) { pContext->m_fCurColumnWidth = 0; pContext->m_bCurColumnWidthAvaiable = TRUE; - if (iColSpan == -1) { + if (iColSpan == -1) iColSpan = pContext->m_prgSpecifiedColumnWidths->GetSize(); - } - for (int32_t i = 0; i < iColSpan; i++) { + for (int32_t i = 0; iColIndex + i < iColSpan; ++i) { pContext->m_fCurColumnWidth += pContext->m_prgSpecifiedColumnWidths->GetAt(iColIndex + i); } - if (pContext->m_fCurColumnWidth == 0) { + if (pContext->m_fCurColumnWidth == 0) pContext->m_bCurColumnWidthAvaiable = FALSE; - } - iColIndex += iColSpan; + iColIndex += iColSpan >= 0 ? iColSpan : 0; } } pProcessor->DoLayout(FALSE, XFA_LAYOUT_FLOAT_MAX, XFA_LAYOUT_FLOAT_MAX, -- cgit v1.2.3