From 3301ab30aeec548833eb2d693bd3eebf9d1c28ce Mon Sep 17 00:00:00 2001
From: thestig <thestig@chromium.org>
Date: Mon, 16 May 2016 16:45:16 -0700
Subject: Fix a nullptr deref in CPDF_BookmarkTree::GetFirstChild().

BUG=590927

Review-Url: https://codereview.chromium.org/1988443002
---
 core/fpdfdoc/doc_bookmark.cpp | 44 ++++++++++++++++++++++++-------------------
 1 file changed, 25 insertions(+), 19 deletions(-)

diff --git a/core/fpdfdoc/doc_bookmark.cpp b/core/fpdfdoc/doc_bookmark.cpp
index 05ebc07a90..2c6f0dddef 100644
--- a/core/fpdfdoc/doc_bookmark.cpp
+++ b/core/fpdfdoc/doc_bookmark.cpp
@@ -14,43 +14,49 @@
 
 CPDF_Bookmark CPDF_BookmarkTree::GetFirstChild(
     const CPDF_Bookmark& parent) const {
-  if (!parent.GetDict()) {
-    CPDF_Dictionary* pRoot = m_pDocument->GetRoot()->GetDictBy("Outlines");
-    if (!pRoot)
-      return CPDF_Bookmark();
-    return CPDF_Bookmark(pRoot->GetDictBy("First"));
-  }
-  return CPDF_Bookmark(parent.GetDict()->GetDictBy("First"));
+  CPDF_Dictionary* pParentDict = parent.GetDict();
+  if (pParentDict)
+    return CPDF_Bookmark(pParentDict->GetDictBy("First"));
+
+  CPDF_Dictionary* pRoot = m_pDocument->GetRoot();
+  if (!pRoot)
+    return CPDF_Bookmark();
+
+  CPDF_Dictionary* pOutlines = pRoot->GetDictBy("Outlines");
+  if (!pOutlines)
+    return CPDF_Bookmark();
+
+  return CPDF_Bookmark(pOutlines->GetDictBy("First"));
 }
 
 CPDF_Bookmark CPDF_BookmarkTree::GetNextSibling(
     const CPDF_Bookmark& bookmark) const {
-  if (!bookmark.GetDict())
+  CPDF_Dictionary* pDict = bookmark.GetDict();
+  if (!pDict)
     return CPDF_Bookmark();
 
-  CPDF_Dictionary* pNext = bookmark.GetDict()->GetDictBy("Next");
-  return pNext == bookmark.GetDict() ? CPDF_Bookmark() : CPDF_Bookmark(pNext);
+  CPDF_Dictionary* pNext = pDict->GetDictBy("Next");
+  return pNext == pDict ? CPDF_Bookmark() : CPDF_Bookmark(pNext);
 }
 
 uint32_t CPDF_Bookmark::GetColorRef() const {
-  if (!m_pDict) {
-    return 0;
-  }
+  if (!m_pDict)
+    return FXSYS_RGB(0, 0, 0);
+
   CPDF_Array* pColor = m_pDict->GetArrayBy("C");
-  if (!pColor) {
+  if (!pColor)
     return FXSYS_RGB(0, 0, 0);
-  }
+
   int r = FXSYS_round(pColor->GetNumberAt(0) * 255);
   int g = FXSYS_round(pColor->GetNumberAt(1) * 255);
   int b = FXSYS_round(pColor->GetNumberAt(2) * 255);
   return FXSYS_RGB(r, g, b);
 }
+
 uint32_t CPDF_Bookmark::GetFontStyle() const {
-  if (!m_pDict) {
-    return 0;
-  }
-  return m_pDict->GetIntegerBy("F");
+  return m_pDict ? m_pDict->GetIntegerBy("F") : 0;
 }
+
 CFX_WideString CPDF_Bookmark::GetTitle() const {
   if (!m_pDict) {
     return CFX_WideString();
-- 
cgit v1.2.3