Speculative fix for segv destroying CPDF_PageObjectHolder::m_GraphicsMap

We speculate that the bug that makes the comparison operator irreflexive
might be the cause of the segv on windows production code, should a
NaN sneak into the GraphicsData struct. In any event, should this
happen, the tree won't be correct with some nodes erroneously replaced.

Add a test which fails prior to the patch, but alas does not elicit
the segv.

Also move operator<() methods to .cpp file corresponding to .h file
in which they are delcared.

Bug: 852273
Change-Id: Ib7929881e7ffbed8b09f6e2c9fb7898cbde58946
Reviewed-on: https://pdfium-review.googlesource.com/35171
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

1 files changed, 15 insertions, 0 deletions

diff --git a/core/fpdfapi/page/cpdf_pageobjectholder.cpp b/core/fpdfapi/page/cpdf_pageobjectholder.cpp
index 3eb88ec9c0..67f68c7c42 100644
--- a/core/fpdfapi/page/cpdf_pageobjectholder.cpp
+++ b/core/fpdfapi/page/cpdf_pageobjectholder.cpp
@@ -15,6 +15,21 @@
 #include "core/fpdfapi/page/cpdf_pageobject.h"
 #include "core/fpdfapi/parser/cpdf_dictionary.h"
 #include "core/fpdfapi/parser/cpdf_document.h"
+#include "core/fxcrt/fx_extension.h"
+
+bool GraphicsData::operator<(const GraphicsData& other) const {
+  if (!FXSYS_SafeEQ(fillAlpha, other.fillAlpha))
+    return FXSYS_SafeLT(fillAlpha, other.fillAlpha);
+  if (!FXSYS_SafeEQ(strokeAlpha, other.strokeAlpha))
+    return FXSYS_SafeLT(strokeAlpha, other.strokeAlpha);
+  return blendType < other.blendType;
+}
+
+bool FontData::operator<(const FontData& other) const {
+  if (baseFont != other.baseFont)
+    return baseFont < other.baseFont;
+  return type < other.type;
+}
 
 CPDF_PageObjectHolder::CPDF_PageObjectHolder(CPDF_Document* pDoc,
                                              CPDF_Dictionary* pDict)