Fix 2 XFA nullptr crashes.
One is in CXFA_LayoutPageMgr::MergePageSetContents(). Once that is
fixed, the same document that triggered the first crash triggers another
crash in XFA_DataMerge_FindDataScope().
BUG=pdfium:1250
Change-Id: I2e470d4345f9508324239c684036dfcf2ea6c864
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/51331
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp b/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
index 901404a..8139097 100644
--- a/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
+++ b/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
@@ -1833,12 +1833,13 @@
}
}
if (!pPendingPageSet->GetParent()) {
- CXFA_Node* pFormToplevelSubform =
- pDocument->GetXFAObject(XFA_HASHCODE_Form)
- ->AsNode()
- ->GetFirstChildByClass<CXFA_Subform>(XFA_Element::Subform);
- if (pFormToplevelSubform)
- pFormToplevelSubform->InsertChild(pPendingPageSet, nullptr);
+ CXFA_Node* pNode = ToNode(pDocument->GetXFAObject(XFA_HASHCODE_Form));
+ if (pNode) {
+ CXFA_Node* pFormToplevelSubform =
+ pNode->GetFirstChildByClass<CXFA_Subform>(XFA_Element::Subform);
+ if (pFormToplevelSubform)
+ pFormToplevelSubform->InsertChild(pPendingPageSet, nullptr);
+ }
}
pDocument->DataMerge_UpdateBindingRelations(pPendingPageSet);
pPendingPageSet->SetFlagAndNotify(XFA_NodeFlag_Initialized);
diff --git a/xfa/fxfa/parser/xfa_document_datamerger_imp.cpp b/xfa/fxfa/parser/xfa_document_datamerger_imp.cpp
index 052680a..7962916 100644
--- a/xfa/fxfa/parser/xfa_document_datamerger_imp.cpp
+++ b/xfa/fxfa/parser/xfa_document_datamerger_imp.cpp
@@ -90,6 +90,9 @@
}
CXFA_Node* XFA_DataMerge_FindDataScope(CXFA_Node* pParentFormNode) {
+ if (!pParentFormNode)
+ return nullptr;
+
for (CXFA_Node* pRootBoundNode = pParentFormNode;
pRootBoundNode && pRootBoundNode->IsContainerNode();
pRootBoundNode = pRootBoundNode->GetParent()) {
