Prevent an out of bound access in CXFA_TextLayout::DoLayout(). BUG=chromium:925788 Change-Id: I46b910001f6d789e8dca48fdb18d1f86c9bd7592 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/49496 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>

commit: 52c673122691a1ed26c664db9c0d8c613a566fbb [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Wed Apr 10 17:27:59 2019 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Wed Apr 10 17:27:59 2019 +0000
tree: dea99d5ecd4f247aa04715a9fbcb883e7c9085c6
parent: 44034bca7d3eda87b7e7f38d9cf695fde9a312dd [diff]
diff --git a/xfa/fxfa/cxfa_textlayout.cpp b/xfa/fxfa/cxfa_textlayout.cpp
index a0e9758..cf565a6 100644
--- a/xfa/fxfa/cxfa_textlayout.cpp
+++ b/xfa/fxfa/cxfa_textlayout.cpp

@@ -352,9 +352,9 @@
       szLineIndex = m_Blocks[szBlockIndex].szIndex;
     else
       szLineIndex = GetNextIndexFromLastBlockData();
-    if (!m_pLoader->blockHeights.empty()) {
-      for (size_t i = 0; i < szBlockIndex; ++i)
-        fLinePos -= m_pLoader->blockHeights[i].fHeight;
+    for (size_t i = 0;
+         i < std::min(szBlockIndex, m_pLoader->blockHeights.size()); ++i) {
+      fLinePos -= m_pLoader->blockHeights[i].fHeight;
     }
   }
commit	52c673122691a1ed26c664db9c0d8c613a566fbb	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Wed Apr 10 17:27:59 2019 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Wed Apr 10 17:27:59 2019 +0000
tree	dea99d5ecd4f247aa04715a9fbcb883e7c9085c6
parent	44034bca7d3eda87b7e7f38d9cf695fde9a312dd [diff]