Avoid integer overflow in RelocateTableRowCells().

-- also add some consts as appropriate.

Bug: chromium:1164158
Change-Id: I3146a8f0fc45e1282548dad136379a8f87a7770d
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/77230
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Daniel Hosseinian <dhoss@chromium.org>
diff --git a/testing/resources/javascript/xfa_specific/bug_1164158.in b/testing/resources/javascript/xfa_specific/bug_1164158.in
new file mode 100644
index 0000000..28b7eff
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1164158.in
@@ -0,0 +1,37 @@
+{{header}}
+{{include ../../xfa_catalog_1_0.fragment}}
+{{include ../../xfa_object_2_0.fragment}}
+{{include ../../xfa_preamble_3_0.fragment}}
+{{include ../../xfa_config_4_0.fragment}}
+{{object 5 0}} <<
+  {{streamlen}}
+>>
+stream
+<template xmlns="http://www.xfa.org/schema/xfa-template/3.3/">
+  <subform>
+    <pageSet relation="simplexPaginated">
+      <pageArea pagePosition="last">
+        <subform>
+          <subform layout="table">
+            <subform layout="row">
+              <field />
+              <field colSpan="4294967295" presence="inactive" />
+            </subform>
+          </subform>
+        </subform>
+      </pageArea>
+      <pageArea>
+        <contentArea />
+      </pageArea>
+    </pageSet>
+  </subform>
+</template>
+endstream
+endobj
+{{include ../../xfa_locale_6_0.fragment}}
+{{include ../../xfa_postamble_7_0.fragment}}
+{{include ../../xfa_pages_8_0.fragment}}
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF
diff --git a/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp b/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
index 9c48284..1143c76 100644
--- a/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
+++ b/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
@@ -190,22 +190,25 @@
                            XFA_AttributeValue eLayout) {
   bool bContainerWidthAutoSize = true;
   bool bContainerHeightAutoSize = true;
-  CFX_SizeF containerSize = CalculateContainerSpecifiedSize(
+  const CFX_SizeF containerSize = CalculateContainerSpecifiedSize(
       pLayoutRow->GetFormNode(), &bContainerWidthAutoSize,
       &bContainerHeightAutoSize);
+
   CXFA_Margin* pMargin =
       pLayoutRow->GetFormNode()->GetFirstChildByClass<CXFA_Margin>(
           XFA_Element::Margin);
-  CFX_FloatRect inset = GetMarginInset(pMargin);
-  float fContentWidthLimit =
+  const CFX_FloatRect inset = GetMarginInset(pMargin);
+
+  const float fContentWidthLimit =
       bContainerWidthAutoSize ? FLT_MAX
                               : containerSize.width - inset.left - inset.right;
-  float fContentCurrentHeight =
+  const float fContentCurrentHeight =
       pLayoutRow->m_sSize.height - inset.top - inset.bottom;
+
   float fContentCalculatedWidth = 0;
   float fContentCalculatedHeight = 0;
   float fCurrentColX = 0;
-  int32_t nCurrentColIdx = 0;
+  size_t nCurrentColIdx = 0;
   bool bMetWholeRowCell = false;
 
   for (CXFA_LayoutItem* pIter = pLayoutRow->GetFirstChild(); pIter;
@@ -214,24 +217,28 @@
     if (!pLayoutChild)
       continue;
 
-    int32_t nOriginalColSpan =
+    const int32_t nOriginalColSpan =
         pLayoutChild->GetFormNode()->JSObject()->GetInteger(
             XFA_Attribute::ColSpan);
-    if (nOriginalColSpan <= 0 && nOriginalColSpan != -1)
+
+    size_t nColSpan;
+    if (nOriginalColSpan > 0)
+      nColSpan = static_cast<size_t>(nOriginalColSpan);
+    else if (nOriginalColSpan == -1)
+      nColSpan = rgSpecifiedColumnWidths.size();
+    else
       continue;
 
-    int32_t nColSpan = nOriginalColSpan;
+    CHECK(nCurrentColIdx <= rgSpecifiedColumnWidths.size());
+    const size_t remaining = rgSpecifiedColumnWidths.size() - nCurrentColIdx;
+    nColSpan = std::min(nColSpan, remaining);
+
     float fColSpanWidth = 0;
-    if (nColSpan == -1 ||
-        nCurrentColIdx + nColSpan >
-            pdfium::CollectionSize<int32_t>(rgSpecifiedColumnWidths)) {
-      nColSpan = pdfium::CollectionSize<int32_t>(rgSpecifiedColumnWidths) -
-                 nCurrentColIdx;
-    }
-    for (int32_t i = 0; i < nColSpan; i++)
+    for (size_t i = 0; i < nColSpan; i++)
       fColSpanWidth += rgSpecifiedColumnWidths[nCurrentColIdx + i];
 
-    if (nColSpan != nOriginalColSpan) {
+    if (nOriginalColSpan == -1 ||
+        nColSpan != static_cast<size_t>(nOriginalColSpan)) {
       fColSpanWidth = bMetWholeRowCell ? 0
                                        : std::max(fColSpanWidth,
                                                   pLayoutChild->m_sSize.height);