commit ae5a4c93a941d5e78b3ea6e4fc0d5106122b458f
author Tom Sepez <tsepez@chromium.org> Mon Mar 18 19:53:34 2019 +0000
committer Chromium commit bot <commit-bot@chromium.org> Mon Mar 18 19:53:34 2019 +0000
tree 11e7fe3409ee836527eb2240f6e49106bda26f34
parent bcb9892d16d3b86d3c8fe70cc8ba0430618ff7d4

Check for zero-length strings in CXFA_NodeHelper::CreateNode().

Following these additions, the optimizer appears to have removed
the last of the implicit span bounds checks from CreateNode().

Bug: chromium:932401
Change-Id: If4f6fecabe262e2ef5299419b4f927e554695852
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/51991
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

xfa/fxfa/parser/cxfa_nodehelper.cpp

diff --git a/xfa/fxfa/parser/cxfa_nodehelper.cpp b/xfa/fxfa/parser/cxfa_nodehelper.cpp
index dc9b0ca..10d5e8b 100644
--- a/xfa/fxfa/parser/cxfa_nodehelper.cpp
+++ b/xfa/fxfa/parser/cxfa_nodehelper.cpp
@@ -312,23 +312,24 @@
                                  const WideString& wsCondition,
                                  bool bLastNode,
                                  CFXJSE_Engine* pScriptContext) {
-  ASSERT(!wsName.IsEmpty());
-
   if (!m_pCreateParent)
     return false;
 
   WideStringView wsNameView = wsName.AsStringView();
   bool bIsClassName = false;
   bool bResult = false;
-  if (wsNameView[0] == '!') {
+  if (!wsNameView.IsEmpty() && wsNameView[0] == '!') {
     wsNameView = wsNameView.Right(wsNameView.GetLength() - 1);
     m_pCreateParent = ToNode(
         pScriptContext->GetDocument()->GetXFAObject(XFA_HASHCODE_Datasets));
   }
-  if (wsNameView[0] == '#') {
+  if (!wsNameView.IsEmpty() && wsNameView[0] == '#') {
     bIsClassName = true;
     wsNameView = wsNameView.Right(wsNameView.GetLength() - 1);
   }
+  if (wsNameView.IsEmpty())
+    return false;
+
   if (m_iCreateCount == 0)
     CreateNodeForCondition(wsCondition);