XFA: Check template children are actually of type template
Do this in CopyContainer_SubformSet() and
CXFA_Node::CloneTemplateToForm() to prevent DCHECK failures and eventual
crashes.
Bug: 41491062, 371233776
Change-Id: I5f69459f89e1187ca2e1c52ef99cfc961f9cfae1
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/125290
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>
diff --git a/xfa/fxfa/parser/cxfa_document.cpp b/xfa/fxfa/parser/cxfa_document.cpp
index 251e3fa..43a957d 100644
--- a/xfa/fxfa/parser/cxfa_document.cpp
+++ b/xfa/fxfa/parser/cxfa_document.cpp
@@ -1089,6 +1089,9 @@
bool bFound = false;
for (CXFA_Node* pTemplateChild = pTemplateNode->GetFirstChild();
pTemplateChild; pTemplateChild = pTemplateChild->GetNextSibling()) {
+ if (pTemplateChild->GetPacketType() != XFA_PacketType::Template) {
+ continue;
+ }
if (XFA_DataMerge_NeedGenerateForm(pTemplateChild, bUseInstanceManager)) {
XFA_NodeMerge_CloneOrMergeContainer(pDocument, pSubformSetNode,
pTemplateChild, true, nullptr);
diff --git a/xfa/fxfa/parser/cxfa_node.cpp b/xfa/fxfa/parser/cxfa_node.cpp
index 53461ab..8f6d82c 100644
--- a/xfa/fxfa/parser/cxfa_node.cpp
+++ b/xfa/fxfa/parser/cxfa_node.cpp
@@ -1287,6 +1287,9 @@
if (bRecursive) {
for (CXFA_Node* pChild = GetFirstChild(); pChild;
pChild = pChild->GetNextSibling()) {
+ if (pChild->GetPacketType() != XFA_PacketType::Template) {
+ continue;
+ }
pClone->InsertChildAndNotify(pChild->CloneTemplateToForm(bRecursive),
nullptr);
}
