commit 468f520e3ee4018f571aab65611ec4e01fb042b6
author Tom Sepez <tsepez@chromium.org> Mon Apr 04 21:25:59 2022 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Apr 04 21:25:59 2022 +0000
tree 1ceeabc8fdd9a117b2b623d486bebf885db827fe
parent 584ed1206e7305bd8bda34bf2aac52105ff76ed2

Fix null-dereference in CJX_Object::SetContent()

Bug: chromium:1312736
Change-Id: I31aed7895f5a1e49cf7c7b6dda490e932dd7bfe8
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/92190
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

fxjs/xfa/cjx_object.cpp

diff --git a/fxjs/xfa/cjx_object.cpp b/fxjs/xfa/cjx_object.cpp
index 9a89d84..c206007 100644
--- a/fxjs/xfa/cjx_object.cpp
+++ b/fxjs/xfa/cjx_object.cpp
@@ -603,9 +603,10 @@
           break;
 
         CXFA_Node* pChildValue = pValue->GetFirstChild();
-        DCHECK(pChildValue);
-        pChildValue->JSObject()->SetContent(wsContent, wsContent, bNotify,
-                                            bScriptModify, false);
+        if (pChildValue) {
+          pChildValue->JSObject()->SetContent(wsContent, wsContent, bNotify,
+                                              bScriptModify, false);
+        }
       }
       pBindNode = GetXFANode()->GetBindData();
       if (pBindNode && bSyncData) {

testing/resources/javascript/xfa_specific/bug_1312736.in

diff --git a/testing/resources/javascript/xfa_specific/bug_1312736.in b/testing/resources/javascript/xfa_specific/bug_1312736.in
new file mode 100644
index 0000000..f388810
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1312736.in
@@ -0,0 +1,40 @@
+{{header}}
+{{include ../../xfa_catalog_1_0.fragment}}
+{{include ../../xfa_object_2_0.fragment}}
+{{object 3 0}} <<
+  {{streamlen}}
+>>
+stream
+<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
+<template x="">
+  <subform>
+    <pageSet>
+      <pageArea>
+        <contentArea/>
+        <exclGroup name="0">
+          <field>
+            <ui><checkButton/></ui>
+            <items><textEdit/></items>
+          </field>
+        </exclGroup>
+        <subform name="Sho0">
+          <event activity="initialize">
+            <script contentType="application/x-javascript">
+              Sho0.presence=0;
+              app.alert("done");
+            </script>
+          </event>
+        </subform>
+      </pageArea>
+    </pageSet>
+  </subform>
+</template>
+endstream
+endobj
+{{object 8 0} <<
+>>
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

testing/resources/javascript/xfa_specific/bug_1312736_expected.txt

diff --git a/testing/resources/javascript/xfa_specific/bug_1312736_expected.txt b/testing/resources/javascript/xfa_specific/bug_1312736_expected.txt
new file mode 100644
index 0000000..daa1eca
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1312736_expected.txt
@@ -0,0 +1 @@
+Alert: done