From 42a1bc02c0810c039afbcb62170c326f0e717320 Mon Sep 17 00:00:00 2001
From: Wei Li <weili@chromium.org>
Date: Fri, 12 Feb 2016 18:21:21 -0800
Subject: Fix the way to access marked content.

When there is no dictionary for marked content, it potientially may cause crash. But it is not happening now since 1) we now check for the returned dict parameter 2) the alloc function in pdfium does zero initialization.

BUG=pdfium:67
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1695633004 .
---
 core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

(limited to 'core/src/fpdfapi/fpdf_page')

diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
index 37e3c04e53..20345138b4 100644
--- a/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
+++ b/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
@@ -594,20 +594,19 @@ CPDF_ContentMarkItem::CPDF_ContentMarkItem(const CPDF_ContentMarkItem& src) {
   m_MarkName = src.m_MarkName;
   m_ParamType = src.m_ParamType;
   if (m_ParamType == DirectDict) {
-    m_pParam = ToDictionary(static_cast<CPDF_Object*>(src.m_pParam))->Clone();
+    m_pParam = ToDictionary(src.m_pParam->Clone());
   } else {
     m_pParam = src.m_pParam;
   }
 }
 CPDF_ContentMarkItem::~CPDF_ContentMarkItem() {
-  if (m_ParamType == DirectDict && m_pParam) {
-    ToDictionary(static_cast<CPDF_Object*>(m_pParam))->Release();
-  }
+  if (m_ParamType == DirectDict && m_pParam)
+    m_pParam->Release();
 }
 FX_BOOL CPDF_ContentMarkItem::HasMCID() const {
   if (m_pParam &&
       (m_ParamType == DirectDict || m_ParamType == PropertiesDict)) {
-    return ToDictionary(static_cast<CPDF_Object*>(m_pParam))->KeyExist("MCID");
+    return m_pParam->KeyExist("MCID");
   }
   return FALSE;
 }
@@ -622,8 +621,7 @@ int CPDF_ContentMarkData::GetMCID() const {
     type = m_Marks[i].GetParamType();
     if (type == CPDF_ContentMarkItem::PropertiesDict ||
         type == CPDF_ContentMarkItem::DirectDict) {
-      CPDF_Dictionary* pDict =
-          ToDictionary(static_cast<CPDF_Object*>(m_Marks[i].GetParam()));
+      CPDF_Dictionary* pDict = m_Marks[i].GetParam();
       if (pDict->KeyExist("MCID")) {
         return pDict->GetIntegerBy("MCID");
       }
@@ -641,7 +639,7 @@ void CPDF_ContentMarkData::AddMark(const CFX_ByteString& name,
   }
   item.SetParam(bDirect ? CPDF_ContentMarkItem::DirectDict
                         : CPDF_ContentMarkItem::PropertiesDict,
-                bDirect ? pDict->Clone() : pDict);
+                bDirect ? ToDictionary(pDict->Clone()) : pDict);
 }
 void CPDF_ContentMarkData::DeleteLastMark() {
   int size = m_Marks.GetSize();
@@ -673,7 +671,7 @@ FX_BOOL CPDF_ContentMark::LookupMark(const CFX_ByteStringC& mark,
       pDict = NULL;
       if (item.GetParamType() == CPDF_ContentMarkItem::PropertiesDict ||
           item.GetParamType() == CPDF_ContentMarkItem::DirectDict) {
-        pDict = ToDictionary(static_cast<CPDF_Object*>(item.GetParam()));
+        pDict = item.GetParam();
       }
       return TRUE;
     }
-- 
cgit v1.2.3