Avoid out of bounds access inside CFXJSE_ResolveProcessor::GetFilter().
Check for |nNameCount| == 0 before accessing the |nNameCount| - 1 index.
BUG=pdfium:1216
Change-Id: I1ac5d8ba6e1c66119a60a3be39cd0b261ed53638
Reviewed-on: https://pdfium-review.googlesource.com/c/47910
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/fxjs/xfa/cfxjse_resolveprocessor.cpp b/fxjs/xfa/cfxjse_resolveprocessor.cpp
index 64a3fbd..5a8e69a 100644
--- a/fxjs/xfa/cfxjse_resolveprocessor.cpp
+++ b/fxjs/xfa/cfxjse_resolveprocessor.cpp
@@ -512,14 +512,14 @@
while (nStart < iLength) {
wCur = pSrc[nStart++];
if (wCur == '.') {
- if (wPrev == '\\') {
- pNameBuf[nNameCount - 1] = wPrev = '.';
- continue;
- }
if (nNameCount == 0) {
rnd.m_dwStyles |= XFA_RESOLVENODE_AnyChild;
continue;
}
+ if (wPrev == '\\') {
+ pNameBuf[nNameCount - 1] = wPrev = '.';
+ continue;
+ }
wchar_t wLookahead = nStart < iLength ? pSrc[nStart] : 0;
if (wLookahead != '[' && wLookahead != '(' && nType < 0)