commit f81f9f0da0a2d4ea68edb75f5bcd58ff29e5bc14
author Lei Zhang <thestig@chromium.org> Tue Mar 12 23:24:30 2019 +0000
committer Chromium commit bot <commit-bot@chromium.org> Tue Mar 12 23:24:30 2019 +0000
tree f05e2ee784d1c78dbbf212c05b1b2be360845a9e
parent c3abbbbdf54bc8b4ee29a31f0cf1adb29b82c136

Fix a crash in DataMerge_UpdateBindingRelations().

CXFA_Document::DataMerge_UpdateBindingRelations() expects a valid node
argument. Check all the callers and add checks to those that do not have
them.

For testing, add an alternative to xfa_object_2_0.fragment that makes it
easier to write all the XML in a single object.

BUG=pdfium:1258

Change-Id: I7182bcb5e714af812d97d2e6534c9b2a4e8b53b4
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/51775
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

testing/resources/pixel/xfa_specific/bug_1258_1.in

diff --git a/testing/resources/pixel/xfa_specific/bug_1258_1.in b/testing/resources/pixel/xfa_specific/bug_1258_1.in
new file mode 100644
index 0000000..8777b06
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1258_1.in
Binary files differ

testing/resources/pixel/xfa_specific/bug_1258_1_expected.pdf.0.png

diff --git a/testing/resources/pixel/xfa_specific/bug_1258_1_expected.pdf.0.png b/testing/resources/pixel/xfa_specific/bug_1258_1_expected.pdf.0.png
new file mode 100644
index 0000000..08c11b0
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1258_1_expected.pdf.0.png
Binary files differ

testing/resources/pixel/xfa_specific/bug_1258_2.in

diff --git a/testing/resources/pixel/xfa_specific/bug_1258_2.in b/testing/resources/pixel/xfa_specific/bug_1258_2.in
new file mode 100644
index 0000000..01740f3
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1258_2.in
Binary files differ

testing/resources/pixel/xfa_specific/bug_1258_2_expected.pdf.0.png

diff --git a/testing/resources/pixel/xfa_specific/bug_1258_2_expected.pdf.0.png b/testing/resources/pixel/xfa_specific/bug_1258_2_expected.pdf.0.png
new file mode 100644
index 0000000..08c11b0
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1258_2_expected.pdf.0.png
Binary files differ

testing/resources/pixel/xfa_specific/bug_1258_3.in

diff --git a/testing/resources/pixel/xfa_specific/bug_1258_3.in b/testing/resources/pixel/xfa_specific/bug_1258_3.in
new file mode 100644
index 0000000..b0c7d8c
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1258_3.in
Binary files differ

testing/resources/pixel/xfa_specific/bug_1258_3_expected.pdf.0.png

diff --git a/testing/resources/pixel/xfa_specific/bug_1258_3_expected.pdf.0.png b/testing/resources/pixel/xfa_specific/bug_1258_3_expected.pdf.0.png
new file mode 100644
index 0000000..08c11b0
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/bug_1258_3_expected.pdf.0.png
Binary files differ

testing/resources/xfa_object_single_2_0.fragment

diff --git a/testing/resources/xfa_object_single_2_0.fragment b/testing/resources/xfa_object_single_2_0.fragment
new file mode 100644
index 0000000..67f66d1
--- /dev/null
+++ b/testing/resources/xfa_object_single_2_0.fragment
@@ -0,0 +1,4 @@
+{{object 2 0}} <<
+  /XFA 3 0 R
+>>
+endobj

xfa/fxfa/layout/cxfa_layoutpagemgr.cpp

diff --git a/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp b/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
index 7f8138c..56cb8aa 100644
--- a/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
+++ b/xfa/fxfa/layout/cxfa_layoutpagemgr.cpp
@@ -905,6 +905,9 @@
 
     pBreakLeaderNode = pDocument->DataMerge_CopyContainer(
         pLeaderTemplate, pFormNode, pDataScope, true, true, true);
+    if (!pBreakLeaderNode)
+      return false;
+
     pDocument->DataMerge_UpdateBindingRelations(pBreakLeaderNode);
     SetLayoutGeneratedNodeFlag(pBreakLeaderNode);
   }
@@ -917,6 +920,9 @@
 
     pBreakTrailerNode = pDocument->DataMerge_CopyContainer(
         pTrailerTemplate, pFormNode, pDataScope, true, true, true);
+    if (!pBreakTrailerNode)
+      return false;
+
     pDocument->DataMerge_UpdateBindingRelations(pBreakTrailerNode);
     SetLayoutGeneratedNodeFlag(pBreakTrailerNode);
   }
@@ -938,6 +944,9 @@
 
       pBookendAppendNode = pDocument->DataMerge_CopyContainer(
           pLeaderTemplate, pFormNode, pDataScope, true, true, true);
+      if (!pBookendAppendNode)
+        return false;
+
       pDocument->DataMerge_UpdateBindingRelations(pBookendAppendNode);
       SetLayoutGeneratedNodeFlag(pBookendAppendNode);
       return true;
@@ -1057,6 +1066,9 @@
 
         pLeaderNode = pDocument->DataMerge_CopyContainer(
             pLeaderTemplate, pFormNode, pDataScope, true, true, true);
+        if (!pLeaderNode)
+          return false;
+
         pDocument->DataMerge_UpdateBindingRelations(pLeaderNode);
         SetLayoutGeneratedNodeFlag(pLeaderNode);
       }
@@ -1066,6 +1078,9 @@
 
         pTrailerNode = pDocument->DataMerge_CopyContainer(
             pTrailerTemplate, pFormNode, pDataScope, true, true, true);
+        if (!pTrailerNode)
+          return false;
+
         pDocument->DataMerge_UpdateBindingRelations(pTrailerNode);
         SetLayoutGeneratedNodeFlag(pTrailerNode);
       }