Fix crash in PDF accessibility when PDF engine reports -1 as char count.

The PDF engine was returning -1 from engine_->GetCharCount(), and we were
trying to allocate that many bytes. See bug for repro.

BUG=648981

Review-Url: https://codereview.chromium.org/2648013002
Cr-Commit-Position: refs/heads/master@{#447132}

chrome/browser/pdf/pdf_extension_test.cc

@@ -659,6 +659,21 @@ IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibility) {
   ASSERT_MULTILINE_STREQ(kExpectedPDFAXTree, ax_tree_dump);
 }
 
+#if defined(GOOGLE_CHROME_BUILD)
+// Test a particular PDF encountered in the wild that triggered a crash
+// when accessibility is enabled.  (http://crbug.com/648981)
+IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibilityCharCountCrash) {
+  content::BrowserAccessibilityState::GetInstance()->EnableAccessibility();
+  GURL test_pdf_url(embedded_test_server()->GetURL(
+      "/pdf_private/accessibility_crash_1.pdf"));
+
+  content::WebContents* guest_contents = LoadPdfGetGuestContents(test_pdf_url);
+  ASSERT_TRUE(guest_contents);
+
+  WaitForAccessibilityTreeToContainNodeWithName(guest_contents, "Page 1");
+}
+#endif
+
 IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibilityEnableLater) {
   // In this test, load the PDF file first, with accessibility off.
   GURL test_pdf_url(embedded_test_server()->GetURL("/pdf/test-bookmarks.pdf"));

pdf/out_of_process_instance.cc

@@ -747,6 +747,12 @@ void OutOfProcessInstance::SendNextAccessibilityPage(int32_t page_index) {
     return;
 
   int char_count = engine_->GetCharCount(page_index);
+
+  // Treat a char count of -1 (error) as 0 (an empty page), since
+  // other pages might have valid content.
+  if (char_count < 0)
+    char_count = 0;
+
   PP_PrivateAccessibilityPageInfo page_info;
   page_info.page_index = page_index;
   page_info.bounds = engine_->GetPageBoundsRect(page_index);