From 717d1330bafb846e4cd25bfb4952bfdedce0db91 Mon Sep 17 00:00:00 2001 From: thestig Date: Tue, 20 Sep 2016 05:58:19 -0700 Subject: Fix nullptr dereference in FPDF_GenerateAP(). BUG=645954 Review-Url: https://codereview.chromium.org/2355733002 --- core/fpdfdoc/cpvt_generateap.cpp | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'core/fpdfdoc') diff --git a/core/fpdfdoc/cpvt_generateap.cpp b/core/fpdfdoc/cpvt_generateap.cpp index 1e531799e8..d7c8bec3a1 100644 --- a/core/fpdfdoc/cpvt_generateap.cpp +++ b/core/fpdfdoc/cpvt_generateap.cpp @@ -6,6 +6,8 @@ #include "core/fpdfdoc/cpvt_generateap.h" +#include + #include "core/fpdfapi/fpdf_font/include/cpdf_font.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_document.h" @@ -669,18 +671,23 @@ bool FPDF_GenerateAP(CPDF_Document* pDoc, CPDF_Dictionary* pAnnotDict) { if (!pAnnotDict || pAnnotDict->GetStringFor("Subtype") != "Widget") return false; - CFX_ByteString field_type = FPDF_GetFieldAttr(pAnnotDict, "FT")->GetString(); - uint32_t flags = FPDF_GetFieldAttr(pAnnotDict, "Ff") - ? FPDF_GetFieldAttr(pAnnotDict, "Ff")->GetInteger() - : 0; - if (field_type == "Tx") { + CPDF_Object* pFieldTypeObj = FPDF_GetFieldAttr(pAnnotDict, "FT"); + if (!pFieldTypeObj) + return false; + + CFX_ByteString field_type = pFieldTypeObj->GetString(); + if (field_type == "Tx") return CPVT_GenerateAP::GenerateTextFieldAP(pDoc, pAnnotDict); - } + + CPDF_Object* pFieldFlagsObj = FPDF_GetFieldAttr(pAnnotDict, "Ff"); + uint32_t flags = pFieldFlagsObj ? pFieldFlagsObj->GetInteger() : 0; + if (field_type == "Ch") { return (flags & (1 << 17)) ? CPVT_GenerateAP::GenerateComboBoxAP(pDoc, pAnnotDict) : CPVT_GenerateAP::GenerateListBoxAP(pDoc, pAnnotDict); } + if (field_type == "Btn") { if (!(flags & (1 << 16))) { if (!pAnnotDict->KeyExist("AS")) { @@ -692,6 +699,7 @@ bool FPDF_GenerateAP(CPDF_Document* pDoc, CPDF_Dictionary* pAnnotDict) { } } } + return false; } -- cgit v1.2.3