Guard against undefined shift.

xfa/fde/xml/fde_xml_imp.cpp

Index: xfa/fde/xml/fde_xml_imp.cpp
diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp
index 4c6dcf989c4c910835c41ac17ea0adb58962ad9a..78cb6d80b2a3196d17ff267d9b9b36d24fb695c0 100644
--- a/xfa/fde/xml/fde_xml_imp.cpp
+++ b/xfa/fde/xml/fde_xml_imp.cpp
@@ -1868,14 +1868,22 @@ void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) {
             } else {
               break;
             }
+            if (ch < 0) {

[Wei Li, 2016/08/08 22:38:52]

Should we check overflow instead of being negative?
Maybe we can check the number of non-zero wchar, which should be no more than 4,
right?

[dsinclair, 2016/08/09 00:21:51]

I can switch to using overflow checking, will change the code tomorrow. I think
the windows test will still need to be special cased as it doesn't overflow a
windows wchar_t, but this code will be nicer.

Not sure what you mean by checking the non-zero wchar?

[dsinclair, 2016/08/09 14:33:33]

I tried the checked numeric but I'd also still need the < 0 check. The wchar_t
signedness is undefined by the spec. So, it happens that Linux leaves it as
signed, so the CheckedNumeric doesn't overflow, but the shift still fails.

+              ch = ' ';
+              break;
+            }
           }
         } else {
           for (int32_t i = 1; i < iLen; i++) {
             w = csEntity[i];
-            if (w < L'0' || w > L'9') {
+            if (w < L'0' || w > L'9')
               break;
-            }
             ch = ch * 10 + w - L'0';
+
+            if (ch < 0) {
+              ch = ' ';
+              break;
+            }
           }
         }
         if (ch != 0) {