Prevent out of bound access inside CXFA_LayoutPageMgr. BUG=chromium:925787 Change-Id: I8f4dd73d61561ed1e767e071ab9021c26d955c0c Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/49474 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>

commit: 26de1a62e3178d7a3e90f4eb857da3ebb3aa8edc [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Tue Apr 09 21:27:46 2019 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Tue Apr 09 21:27:46 2019 +0000
tree: 7afd106ffbdea33d6a251de18e71738ce3db2bbd
parent: 685d24fe62a3d7dd2b8fe15209a4dd70d6f90a5b [diff]
diff --git a/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp b/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
index 112538d..e4d5eba 100644
--- a/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
+++ b/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp

@@ -293,6 +293,9 @@
     if (pContentAreaNode->GetElementType() != XFA_Element::ContentArea)
       continue;
 
+    if (iCurContentAreaIndex >= rgUsedHeights.size())
+      return false;
+
     const float fHeight = pContentAreaNode->JSObject()->GetMeasureInUnit(
                               XFA_Attribute::H, XFA_Unit::Pt) +
                           kXFALayoutPrecision;
commit	26de1a62e3178d7a3e90f4eb857da3ebb3aa8edc	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Tue Apr 09 21:27:46 2019 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Tue Apr 09 21:27:46 2019 +0000
tree	7afd106ffbdea33d6a251de18e71738ce3db2bbd
parent	685d24fe62a3d7dd2b8fe15209a4dd70d6f90a5b [diff]