Fix FMCallExpression undefined shift behaviour.

xfa/fxfa/fm2js/xfa_simpleexpression.cpp

Index: xfa/fxfa/fm2js/xfa_simpleexpression.cpp
diff --git a/xfa/fxfa/fm2js/xfa_simpleexpression.cpp b/xfa/fxfa/fm2js/xfa_simpleexpression.cpp
index 47bb9df235583b0fcb51c34e0ba5a32762d2379e..a7a88ec30aa70d0d22d68c6a7470a7c7e5946a16 100644
--- a/xfa/fxfa/fm2js/xfa_simpleexpression.cpp
+++ b/xfa/fxfa/fm2js/xfa_simpleexpression.cpp
@@ -541,7 +541,10 @@ void CXFA_FMCallExpression::ToJavaScript(CFX_WideTextBuf& javascript) {
       uint32_t methodPara = IsMethodWithObjParam(funcName.AsStringC());
       if (methodPara > 0) {
         for (int i = 0; i < m_pArguments->GetSize(); ++i) {
-          if ((methodPara & (0x01 << i)) > 0) {
+          // Currently none of our expressions use objects for a parameter over
+          // the 6th. Make sure we don't overflow the shift when doing this
+          // check. If we ever need more the 32 object params we can revisit.
+          if (i < 32 && (methodPara & (0x01 << i)) > 0) {
             javascript << gs_lpStrExpFuncName[GETFMJSOBJ];
           } else {
             javascript << gs_lpStrExpFuncName[GETFMVALUE];