Fix the problem that memory is accessed after released due to invalid type-cast

BUG=387774 R=palmer@chromium.org, tsepez@chromium.org Review URL: https://codereview.chromium.org/441503003
author: Jun Fang <jun_fang@foxitsoftware.com> 2014-08-05 04:32:48 -0700
committer: Jun Fang <jun_fang@foxitsoftware.com> 2014-08-05 04:32:48 -0700
commit: ef72d48bc190017cc4181135b6593357ccc7d977 (patch)
tree: 5a30b6edc45b9efb4a4a073a0dad94b86224ca8b /core/src/fpdfdoc
parent: 1b9c5c4dc41956b8c5ab17b9a882adf8a2513768 (diff)
download: pdfium-ef72d48bc190017cc4181135b6593357ccc7d977.tar.xz
1 files changed, 5 insertions, 2 deletions
diff --git a/core/src/fpdfdoc/doc_tagged.cpp b/core/src/fpdfdoc/doc_tagged.cpp
index 551042037b..698157356c 100644
--- a/core/src/fpdfdoc/doc_tagged.cpp
+++ b/core/src/fpdfdoc/doc_tagged.cpp
@@ -192,8 +192,11 @@ FX_BOOL CPDF_StructTreeImpl::AddTopLevelNode(CPDF_Dictionary* pDict, CPDF_Struct
         FX_DWORD i;
         FX_BOOL bSave = FALSE;
         for (i = 0; i < pTopKids->GetCount(); i ++) {
-            CPDF_Reference* pKidRef = (CPDF_Reference*)pTopKids->GetElement(i);
-            if (pKidRef->GetType() != PDFOBJ_REFERENCE || pKidRef->GetRefObjNum() != pDict->GetObjNum()) {
+            CPDF_Object* pKidRef = pTopKids->GetElement(i);
+            if (pKidRef == NULL || pKidRef->GetType() != PDFOBJ_REFERENCE) {
+                continue;
+            }
+            if (((CPDF_Reference*) pKidRef)->GetRefObjNum() != pDict->GetObjNum()) {
                 continue;
             }
             if (m_Kids[i]) {
author	Jun Fang <jun_fang@foxitsoftware.com>	2014-08-05 04:32:48 -0700
committer	Jun Fang <jun_fang@foxitsoftware.com>	2014-08-05 04:32:48 -0700
commit	ef72d48bc190017cc4181135b6593357ccc7d977 (patch)
tree	5a30b6edc45b9efb4a4a073a0dad94b86224ca8b /core/src/fpdfdoc
parent	1b9c5c4dc41956b8c5ab17b9a882adf8a2513768 (diff)
download	pdfium-ef72d48bc190017cc4181135b6593357ccc7d977.tar.xz