[Password Manager] Fix password saving on Macys registration page

components/autofill/content/renderer/password_form_conversion_utils.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_form_conversion_utils.h"
 
 #include "base/strings/string_util.h"
 #include "components/autofill/content/renderer/form_autofill_util.h"
 #include "components/autofill/core/common/password_form.h"
 #include "third_party/WebKit/public/platform/WebString.h"
@@ skipping 42 matching lines @@
   }
 
   // If we have seen an element with either of autocomplete attributes above,
   // take that as a signal that the page author must have intentionally left the
   // rest of the password fields unmarked. Perhaps they are used for other
   // purposes, e.g., PINs, OTPs, and the like. So we skip all the heuristics we
   // normally do, and ignore the rest of the password fields.
   if (!current_password->isNull() || !new_password->isNull())
     return true;
 
+  if (passwords.empty())
+    return false;
+
   switch (passwords.size()) {
     case 1:
       // Single password, easy.
       *current_password = passwords[0];
       break;
     case 2:
       if (passwords[0].value() == passwords[1].value()) {
         // Two identical passwords: assume we are seeing a new password with a
         // confirmation. This can be either a sign-up form or a password change
         // form that does not ask for the old password.
         *new_password = passwords[0];
       } else {
         // Assume first is old password, second is new (no choice but to guess).
         *current_password = passwords[0];
         *new_password = passwords[1];
       }
       break;
-    case 3:
+    default:
       if (!passwords[0].value().isEmpty() &&
           passwords[0].value() == passwords[1].value() &&
           passwords[0].value() == passwords[2].value()) {
         // All three passwords are the same and non-empty? This does not make
         // any sense, give up.
         return false;
       } else if (passwords[1].value() == passwords[2].value()) {
         // New password is the duplicated one, and comes second; or empty form
         // with 3 password fields, in which case we will assume this layout.
         *current_password = passwords[0];
         *new_password = passwords[1];
       } else if (passwords[0].value() == passwords[1].value()) {
         // It is strange that the new password comes first, but trust more which
-        // fields are duplicated than the ordering of fields.
-        *current_password = passwords[2];
+        // fields are duplicated than the ordering of fields. Assume that
+        // any password fields after the new password contain sensitive
+        // information that isn't actually a password (security hint, SSN, etc.)
         *new_password = passwords[0];
       } else {
         // Three different passwords, or first and last match with middle
         // different. No idea which is which, so no luck.
         return false;
       }
-      break;
-    default:
-      return false;
   }
   return true;
 }
 
 // Get information about a login form encapsulated in a PasswordForm struct.
 // If an element of |form| has an entry in |user_modified_elements|, the
 // associated string is used instead of the element's value to create
 // the PasswordForm.
 void GetPasswordForm(const WebFormElement& form,
                      PasswordForm* password_form,
@@ skipping 169 matching lines @@
                            blink::WebFormControlElement(),
                            REQUIRE_NONE,
                            EXTRACT_NONE,
                            &password_form->form_data,
                            NULL /* FormFieldData */);
 
   return password_form.Pass();
 }
 
 }  // namespace autofill