Move replaced indirect objects to the orphans list.

ReplaceIndirectObjectIfHigherGeneration() deletes replaced objects, but
those objects may be in use. So move them to the orphans list instead to
avoid potential dangling pointers.

BUG=chromium:757705

Change-Id: Ide83a1b85b754166d298fd50e655ca331ba4f942
Reviewed-on: https://pdfium-review.googlesource.com/11670
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

3 files changed, 5 insertions, 0 deletions

diff --git a/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp b/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
index 3037d0b9b5..93795b62be 100644
--- a/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
+++ b/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
@@ -75,6 +75,7 @@ bool CPDF_IndirectObjectHolder::ReplaceIndirectObjectIfHigherGeneration(
     return false;
 
   pObj->m_ObjNum = objnum;
+  m_OrphanObjs.push_back(std::move(m_IndirectObjs[objnum]));
   m_IndirectObjs[objnum] = std::move(pObj);
   m_LastObjNum = std::max(m_LastObjNum, objnum);
   return true;
diff --git a/core/fpdfapi/parser/cpdf_parser_embeddertest.cpp b/core/fpdfapi/parser/cpdf_parser_embeddertest.cpp
index fa3a76a4c4..99bc2c2d42 100644
--- a/core/fpdfapi/parser/cpdf_parser_embeddertest.cpp
+++ b/core/fpdfapi/parser/cpdf_parser_embeddertest.cpp
@@ -53,3 +53,7 @@ TEST_F(CPDFParserEmbeddertest, Bug_602650) {
   FPDFText_ClosePage(text_page);
   UnloadPage(page);
 }
+
+TEST_F(CPDFParserEmbeddertest, Bug_757705) {
+  EXPECT_TRUE(OpenDocument("bug_757705.pdf"));
+}
diff --git a/testing/resources/bug_757705.pdf b/testing/resources/bug_757705.pdf
new file mode 100644
index 0000000000..ef7d96e678
--- /dev/null
+++ b/testing/resources/bug_757705.pdf