From db9e49889d4129bbe96abdbce7dc3662e97a9df8 Mon Sep 17 00:00:00 2001
From: thestig <thestig@chromium.org>
Date: Thu, 19 May 2016 15:36:36 -0700
Subject: Fix a potential nullptr deref in CFX_MapPtrToPtr.

And also in CFX_PtrList.

BUG=596528

Review-Url: https://codereview.chromium.org/1991123002
---
 core/fxcrt/fx_basic_list.cpp | 12 +++++++++---
 core/fxcrt/fx_basic_maps.cpp | 25 ++++++++++++++-----------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/core/fxcrt/fx_basic_list.cpp b/core/fxcrt/fx_basic_list.cpp
index 02afd47112..f128176d00 100644
--- a/core/fxcrt/fx_basic_list.cpp
+++ b/core/fxcrt/fx_basic_list.cpp
@@ -73,12 +73,18 @@ void CFX_PtrList::FreeNode(CFX_PtrList::CNode* pNode) {
     RemoveAll();
   }
 }
+
 void CFX_PtrList::RemoveAll() {
   m_nCount = 0;
-  m_pNodeHead = m_pNodeTail = m_pNodeFree = NULL;
-  m_pBlocks->FreeDataChain();
-  m_pBlocks = NULL;
+  m_pNodeHead = nullptr;
+  m_pNodeTail = nullptr;
+  m_pNodeFree = nullptr;
+  if (m_pBlocks) {
+    m_pBlocks->FreeDataChain();
+    m_pBlocks = nullptr;
+  }
 }
+
 CFX_PtrList::CNode* CFX_PtrList::NewNode(CFX_PtrList::CNode* pPrev,
                                          CFX_PtrList::CNode* pNext) {
   if (!m_pNodeFree) {
diff --git a/core/fxcrt/fx_basic_maps.cpp b/core/fxcrt/fx_basic_maps.cpp
index 660306b11a..dda8167bdb 100644
--- a/core/fxcrt/fx_basic_maps.cpp
+++ b/core/fxcrt/fx_basic_maps.cpp
@@ -8,22 +8,26 @@
 #include "core/fxcrt/plex.h"
 
 CFX_MapPtrToPtr::CFX_MapPtrToPtr(int nBlockSize)
-    : m_pHashTable(NULL),
+    : m_pHashTable(nullptr),
       m_nHashTableSize(17),
       m_nCount(0),
-      m_pFreeList(NULL),
-      m_pBlocks(NULL),
+      m_pFreeList(nullptr),
+      m_pBlocks(nullptr),
       m_nBlockSize(nBlockSize) {
   ASSERT(m_nBlockSize > 0);
 }
+
 void CFX_MapPtrToPtr::RemoveAll() {
   FX_Free(m_pHashTable);
-  m_pHashTable = NULL;
+  m_pHashTable = nullptr;
   m_nCount = 0;
-  m_pFreeList = NULL;
-  m_pBlocks->FreeDataChain();
-  m_pBlocks = NULL;
+  m_pFreeList = nullptr;
+  if (m_pBlocks) {
+    m_pBlocks->FreeDataChain();
+    m_pBlocks = nullptr;
+  }
 }
+
 CFX_MapPtrToPtr::~CFX_MapPtrToPtr() {
   RemoveAll();
   ASSERT(m_nCount == 0);
@@ -63,14 +67,13 @@ FX_BOOL CFX_MapPtrToPtr::Lookup(void* key, void*& rValue) const {
   rValue = pAssoc->value;
   return TRUE;
 }
+
 void* CFX_MapPtrToPtr::GetValueAt(void* key) const {
   uint32_t nHash;
   CAssoc* pAssoc = GetAssocAt(key, nHash);
-  if (!pAssoc) {
-    return NULL;
-  }
-  return pAssoc->value;
+  return pAssoc ? pAssoc->value : nullptr;
 }
+
 void*& CFX_MapPtrToPtr::operator[](void* key) {
   uint32_t nHash;
   CAssoc* pAssoc;
-- 
cgit v1.2.3