Google Git
Sign in
pdfium/pdfium.git/a786a332ef242300a8a7e095eeb66e65a06c757a^!/.
commit
a786a332ef242300a8a7e095eeb66e65a06c757a
[log]
author
Lei Zhang <thestig@chromium.org>
Tue Jan 08 22:38:52 2019 +0000
committer
Chromium commit bot <commit-bot@chromium.org>
Tue Jan 08 22:38:52 2019 +0000
tree
b19e2b2df642fb7928c76b33866918545b4bef9f
parent
45531b950b6a04a7bcae12431ccfebec9aec77d6 [diff]
Avoid out of bounds access inside CFXJSE_ResolveProcessor::GetFilter().

Check for |nNameCount| == 0 before accessing the |nNameCount| - 1 index.

BUG=pdfium:1216

Change-Id: I1ac5d8ba6e1c66119a60a3be39cd0b261ed53638
Reviewed-on: https://pdfium-review.googlesource.com/c/47910
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/fxjs/xfa/cfxjse_resolveprocessor.cpp b/fxjs/xfa/cfxjse_resolveprocessor.cpp
index 64a3fbd..5a8e69a 100644
--- a/fxjs/xfa/cfxjse_resolveprocessor.cpp
+++ b/fxjs/xfa/cfxjse_resolveprocessor.cpp

@@ -512,14 +512,14 @@
     while (nStart < iLength) {
       wCur = pSrc[nStart++];
       if (wCur == '.') {
-        if (wPrev == '\\') {
-          pNameBuf[nNameCount - 1] = wPrev = '.';
-          continue;
-        }
         if (nNameCount == 0) {
           rnd.m_dwStyles |= XFA_RESOLVENODE_AnyChild;
           continue;
         }
+        if (wPrev == '\\') {
+          pNameBuf[nNameCount - 1] = wPrev = '.';
+          continue;
+        }
 
         wchar_t wLookahead = nStart < iLength ? pSrc[nStart] : 0;
         if (wLookahead != '[' && wLookahead != '(' && nType < 0)