From bd7820c536908801e49ea83a6ca73279cc07f5cd Mon Sep 17 00:00:00 2001
From: Jun Fang <jun_fang@foxitsoftware.com>
Date: Tue, 23 Feb 2016 08:32:22 +0800
Subject: Fix a crasher in ParsePostfixExpression()

BUG=pdfium:409
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1715363002 .
---
 xfa/src/fxfa/src/fm2js/xfa_fmparse.cpp | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/xfa/src/fxfa/src/fm2js/xfa_fmparse.cpp b/xfa/src/fxfa/src/fm2js/xfa_fmparse.cpp
index c8eb962325..b451aa5487 100644
--- a/xfa/src/fxfa/src/fm2js/xfa_fmparse.cpp
+++ b/xfa/src/fxfa/src/fm2js/xfa_fmparse.cpp
@@ -567,7 +567,7 @@ CXFA_FMSimpleExpression* CXFA_FMParse::ParsePostExpression(
     switch (m_pToken->m_type) {
       case TOKlparen: {
         NextToken();
-        CFX_PtrArray* pArray = 0;
+        CFX_PtrArray* pArray = nullptr;
         if (m_pToken->m_type != TOKrparen) {
           pArray = new CFX_PtrArray();
           while (m_pToken->m_type != TOKrparen) {
@@ -603,15 +603,13 @@ CXFA_FMSimpleExpression* CXFA_FMParse::ParsePostExpression(
             e = 0;
           }
         } else {
-          int32_t iSize = pArray->GetSize();
-          for (int32_t i = 0; i < iSize; ++i) {
-            CXFA_FMSimpleExpression* pTemp =
-                (CXFA_FMSimpleExpression*)pArray->GetAt(i);
-            delete pTemp;
+          int32_t nSize = pArray ? pArray->GetSize() : 0;
+          for (int32_t i = 0; i < nSize; ++i) {
+            delete static_cast<CXFA_FMSimpleExpression*>(pArray->GetAt(i));
           }
           delete pArray;
           delete e;
-          e = 0;
+          e = nullptr;
         }
       } break;
       case TOKdot:
-- 
cgit v1.2.3