Google Git
Sign in
pdfium / pdfium / 1f61118b7f9d7d7e011d96904f8be1c6363d13a6^! / .
commit1f61118b7f9d7d7e011d96904f8be1c6363d13a6[log] [tgz]
authorTom Sepez <tsepez@chromium.org>Wed Mar 11 17:40:23 2020 +0000
committerChromium commit bot <commit-bot@chromium.org>Wed Mar 11 17:40:23 2020 +0000
tree3e056fe8ac59b118d34fccea670a566cbc93c98d
parentdbb6fcdf4353e6f186ee60b377d594c813f8fa63 [diff]
Remove indexing in CFXJSE_FormCalcContext::DotAccessorCommon().

Avoids the possibility of the issue fixed by
  https://pdfium-review.googlesource.com/c/pdfium/+/67171

although it is not clear if this could be triggered.

Change-Id: I6403dd9af16bf8bf5e2058b20bbd8ccda97bd68a
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/67212
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

diff --git a/fxjs/xfa/cfxjse_formcalc_context.cpp b/fxjs/xfa/cfxjse_formcalc_context.cpp
index 9a0c171..de05071 100644
--- a/fxjs/xfa/cfxjse_formcalc_context.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context.cpp

@@ -5719,11 +5719,11 @@
       return;
     }
 
-    int32_t iCounter = 0;
     auto hJSObjValue = pdfium::MakeUnique<CFXJSE_Value>(pIsolate);
     std::vector<std::vector<std::unique_ptr<CFXJSE_Value>>> resolveValues(
         iLength - 2);
     bool bAttribute = false;
+    bool bAllEmpty = true;
     for (int32_t i = 2; i < iLength; i++) {
       argAccessor->GetObjectPropertyByIdx(i, hJSObjValue.get());
       XFA_RESOLVENODE_RS resolveNodeRS;
@@ -5731,10 +5731,10 @@
                          &resolveNodeRS, bDotAccessor, bHasNoResolveName)) {
         ParseResolveResult(pThis, resolveNodeRS, hJSObjValue.get(),
                            &resolveValues[i - 2], &bAttribute);
-        iCounter += resolveValues[i - 2].size();
+        bAllEmpty = bAllEmpty && resolveValues[i - 2].empty();
       }
     }
-    if (iCounter < 1) {
+    if (bAllEmpty) {
       pContext->ThrowPropertyNotInObjectException(
           WideString::FromUTF8(bsName.AsStringView()),
           WideString::FromUTF8(bsSomExp.AsStringView()));
@@ -5742,20 +5742,18 @@
     }
 
     std::vector<std::unique_ptr<CFXJSE_Value>> values;
-    for (int32_t i = 0; i < iCounter + 2; i++)
-      values.push_back(pdfium::MakeUnique<CFXJSE_Value>(pIsolate));
-
-    values[0]->SetInteger(1);
+    values.push_back(pdfium::MakeUnique<CFXJSE_Value>(pIsolate));
+    values.back()->SetInteger(1);
+    values.push_back(pdfium::MakeUnique<CFXJSE_Value>(pIsolate));
     if (bAttribute)
-      values[1]->SetString(bsName.AsStringView());
+      values.back()->SetString(bsName.AsStringView());
     else
-      values[1]->SetNull();
+      values.back()->SetNull();
 
-    int32_t iIndex = 2;
     for (int32_t i = 0; i < iLength - 2; i++) {
       for (size_t j = 0; j < resolveValues[i].size(); j++) {
-        values[iIndex]->Assign(resolveValues[i][j].get());
-        iIndex++;
+        values.push_back(pdfium::MakeUnique<CFXJSE_Value>(pIsolate));
+        values.back()->Assign(resolveValues[i][j].get());
       }
     }
     args.GetReturnValue()->SetArray(values);