Avoid a potential leak in CPDF_IndirectObjectHolder

Keep a vector of object superseeded by another object.  These will
no longer be returned from the holder, but it will clean them

Change-Id: If9754ff6614bd79e9de6ce8c3492230435813218
Reviewed-on: https://pdfium-review.googlesource.com/2790
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

2 files changed, 5 insertions, 1 deletions

diff --git a/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp b/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
index ef3de92f76..3037d0b9b5 100644
--- a/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
+++ b/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
@@ -56,7 +56,9 @@ CPDF_Object* CPDF_IndirectObjectHolder::AddIndirectObject(
   CHECK(!pObj->m_ObjNum);
   CPDF_Object* pUnowned = pObj.get();
   pObj->m_ObjNum = ++m_LastObjNum;
-  m_IndirectObjs[m_LastObjNum].release();  // TODO(tsepez): stop this leak.
+  if (m_IndirectObjs[m_LastObjNum])
+    m_OrphanObjs.push_back(std::move(m_IndirectObjs[m_LastObjNum]));
+
   m_IndirectObjs[m_LastObjNum] = std::move(pObj);
   return pUnowned;
 }
diff --git a/core/fpdfapi/parser/cpdf_indirect_object_holder.h b/core/fpdfapi/parser/cpdf_indirect_object_holder.h
index 1b174d8b62..b6d33a3cd5 100644
--- a/core/fpdfapi/parser/cpdf_indirect_object_holder.h
+++ b/core/fpdfapi/parser/cpdf_indirect_object_holder.h
@@ -11,6 +11,7 @@
 #include <memory>
 #include <type_traits>
 #include <utility>
+#include <vector>
 
 #include "core/fpdfapi/parser/cpdf_object.h"
 #include "core/fxcrt/cfx_string_pool_template.h"
@@ -70,6 +71,7 @@ class CPDF_IndirectObjectHolder {
  private:
   uint32_t m_LastObjNum;
   std::map<uint32_t, std::unique_ptr<CPDF_Object>> m_IndirectObjs;
+  std::vector<std::unique_ptr<CPDF_Object>> m_OrphanObjs;
   CFX_WeakPtr<CFX_ByteStringPool> m_pByteStringPool;
 };