[pdf] Avoid out-of-bounds accesses in PDFiumFormFiller

crrev.com/905403 replaced some early returns and NOTREACHED()s with
DCHECKs. The early returns were meant to prevent out-of-bounds accesses,
but the NOTREACHED()s incorrectly conveyed a guarantee that the bad
accesses were impossible.

Apparently, they are possible. So re-implement the early returns.

This wasn't caught earlier because Clusterfuzz is not run with DCHECKs
on. Therefore, the original NOTREACHED()s were never reported as
reachable.

Bug: 1233354
Change-Id: I5206f48f5064e23f6be6068bbc60fdb5e0155f3f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3056278
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Daniel Hosseinian <dhoss@chromium.org>
Cr-Commit-Position: refs/heads/master@{#905845}

pdf/pdfium/pdfium_form_filler.cc

@@ -155,7 +155,8 @@ void PDFiumFormFiller::Form_OutputSelectedRect(FPDF_FORMFILLINFO* param,
                                                double bottom) {
   PDFiumEngine* engine = GetEngine(param);
   int page_index = engine->GetVisiblePageIndex(page);
-  DCHECK_NE(page_index, -1);
+  if (page_index == -1)
+    return;
 
   gfx::Rect rect = engine->pages_[page_index]->PageToScreen(
       engine->GetVisibleRect().origin(), engine->current_zoom_, left, top,
@@ -229,9 +230,11 @@ FPDF_PAGE PDFiumFormFiller::Form_GetCurrentPage(FPDF_FORMFILLINFO* param,
   int index = engine->last_focused_page_;
   if (index == -1) {
     index = engine->GetMostVisiblePage();
-    DCHECK_NE(index, -1);
+    if (index == -1)
+      return nullptr;
   }
 
+  DCHECK_NE(index, -1);
   return engine->pages_[index]->GetPage();
 }