From ef72d48bc190017cc4181135b6593357ccc7d977 Mon Sep 17 00:00:00 2001
From: Jun Fang <jun_fang@foxitsoftware.com>
Date: Tue, 5 Aug 2014 04:32:48 -0700
Subject: Fix the problem that memory is accessed after released due to invalid
 type-cast

BUG=387774
R=palmer@chromium.org, tsepez@chromium.org

Review URL: https://codereview.chromium.org/441503003
---
 core/src/fpdfdoc/doc_tagged.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'core/src/fpdfdoc')

diff --git a/core/src/fpdfdoc/doc_tagged.cpp b/core/src/fpdfdoc/doc_tagged.cpp
index 551042037b..698157356c 100644
--- a/core/src/fpdfdoc/doc_tagged.cpp
+++ b/core/src/fpdfdoc/doc_tagged.cpp
@@ -192,8 +192,11 @@ FX_BOOL CPDF_StructTreeImpl::AddTopLevelNode(CPDF_Dictionary* pDict, CPDF_Struct
         FX_DWORD i;
         FX_BOOL bSave = FALSE;
         for (i = 0; i < pTopKids->GetCount(); i ++) {
-            CPDF_Reference* pKidRef = (CPDF_Reference*)pTopKids->GetElement(i);
-            if (pKidRef->GetType() != PDFOBJ_REFERENCE || pKidRef->GetRefObjNum() != pDict->GetObjNum()) {
+            CPDF_Object* pKidRef = pTopKids->GetElement(i);
+            if (pKidRef == NULL || pKidRef->GetType() != PDFOBJ_REFERENCE) {
+                continue;
+            }
+            if (((CPDF_Reference*) pKidRef)->GetRefObjNum() != pDict->GetObjNum()) {
                 continue;
             }
             if (m_Kids[i]) {
-- 
cgit v1.2.3