commit a4382cfdce2a583dd006c9d9390a0994ff56d154
author Tom Sepez <tsepez@chromium.org> Wed Mar 27 22:08:18 2019 +0000
committer Chromium commit bot <commit-bot@chromium.org> Wed Mar 27 22:08:18 2019 +0000
tree f5263559c4394122c9072d4bc45ac2c0e0f897c0
parent 08ee0ececdeec1f856d343f8e821f233afde3b0f

Check that result of CPDF_Array::GetDirectObjectAt() may be null.

Even if the index is in bounds, there might be a reference to
a non-existent object number, and null is returned. Fix a few
places where the result was immediately de-referenced.

Bug: pdfium:1267
Change-Id: Ib4bb4a7a43be432733faf127464ba66fa2301a98
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/52531
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

core/fpdfapi/page/cpdf_streamcontentparser.cpp

diff --git a/core/fpdfapi/page/cpdf_streamcontentparser.cpp b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
index 8908228..2e53764 100644
--- a/core/fpdfapi/page/cpdf_streamcontentparser.cpp
+++ b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
@@ -1287,7 +1287,8 @@
   size_t n = pArray->size();
   size_t nsegs = 0;
   for (size_t i = 0; i < n; i++) {
-    if (pArray->GetDirectObjectAt(i)->IsString())
+    const CPDF_Object* pDirectObject = pArray->GetDirectObjectAt(i);
+    if (pDirectObject && pDirectObject->IsString())
       nsegs++;
   }
   if (nsegs == 0) {
@@ -1304,6 +1305,9 @@
   float fInitKerning = 0;
   for (size_t i = 0; i < n; i++) {
     CPDF_Object* pObj = pArray->GetDirectObjectAt(i);
+    if (!pObj)
+      continue;
+
     if (pObj->IsString()) {
       ByteString str = pObj->GetString();
       if (str.IsEmpty())

core/fpdfdoc/cpdf_formfield.cpp

diff --git a/core/fpdfdoc/cpdf_formfield.cpp b/core/fpdfdoc/cpdf_formfield.cpp
index ba15e1e..d5ac71b 100644
--- a/core/fpdfdoc/cpdf_formfield.cpp
+++ b/core/fpdfdoc/cpdf_formfield.cpp
@@ -564,11 +564,11 @@
       break;
     }
   }
-  for (int i = 0; i < static_cast<int>(pArray->size()); i++)
-    if (pArray->GetDirectObjectAt(i)->GetUnicodeText() == opt_value &&
-        i == iPos) {
+  for (int i = 0; i < static_cast<int>(pArray->size()); i++) {
+    const CPDF_Object* pDirectObj = pArray->GetDirectObjectAt(i);
+    if (pDirectObj && pDirectObj->GetUnicodeText() == opt_value && i == iPos)
       return true;
-    }
+  }
   return false;
 }
 

core/fpdfdoc/cpvt_generateap.cpp

diff --git a/core/fpdfdoc/cpvt_generateap.cpp b/core/fpdfdoc/cpvt_generateap.cpp
index 0bdf701..d9c2785 100644
--- a/core/fpdfdoc/cpvt_generateap.cpp
+++ b/core/fpdfdoc/cpvt_generateap.cpp
@@ -1233,11 +1233,13 @@
 
           if (CPDF_Object* pOpt = pOpts->GetDirectObjectAt(i)) {
             WideString swItem;
-            if (pOpt->IsString())
+            if (pOpt->IsString()) {
               swItem = pOpt->GetUnicodeText();
-            else if (CPDF_Array* pArray = pOpt->AsArray())
-              swItem = pArray->GetDirectObjectAt(1)->GetUnicodeText();
-
+            } else if (CPDF_Array* pArray = pOpt->AsArray()) {
+              CPDF_Object* pDirectObj = pArray->GetDirectObjectAt(1);
+              if (pDirectObj)
+                swItem = pDirectObj->GetUnicodeText();
+            }
             bool bSelected = false;
             if (pSels) {
               for (size_t s = 0, ssz = pSels->size(); s < ssz; s++) {