Fix leaks due to created popup annotationschromium/2847

When we create popup annotations, we also create the dictionary
associated with it. For regular annotations, the dictionary
associated with an annotation is not owned by annotation,
and will be released separately. But our created dictionary is not
associated with any other data structure, it would be leaked if not
released by the associated annotation.

Add a boolean to indicate the ownership to the dictionary, and release
the owned dictionary during the destruction of an annotation.

BUG=pdfium:242

Review-Url: https://codereview.chromium.org/2301613002

3 files changed, 15 insertions, 6 deletions

diff --git a/core/fpdfdoc/cpdf_annot.cpp b/core/fpdfdoc/cpdf_annot.cpp
index 6525ff620c..942d334a2d 100644
--- a/core/fpdfdoc/cpdf_annot.cpp
+++ b/core/fpdfdoc/cpdf_annot.cpp
@@ -18,8 +18,11 @@
 #include "core/fxge/include/cfx_pathdata.h"
 #include "core/fxge/include/cfx_renderdevice.h"
 
-CPDF_Annot::CPDF_Annot(CPDF_Dictionary* pDict, CPDF_Document* pDocument)
-    : m_pAnnotDict(pDict),
+CPDF_Annot::CPDF_Annot(CPDF_Dictionary* pDict,
+                       CPDF_Document* pDocument,
+                       bool bToOwnDict)
+    : m_bOwnedAnnotDict(bToOwnDict),
+      m_pAnnotDict(pDict),
       m_pDocument(pDocument),
       m_bOpenState(false),
       m_pPopupAnnot(nullptr) {
@@ -28,6 +31,8 @@ CPDF_Annot::CPDF_Annot(CPDF_Dictionary* pDict, CPDF_Document* pDocument)
 }
 
 CPDF_Annot::~CPDF_Annot() {
+  if (m_bOwnedAnnotDict)
+    m_pAnnotDict->Release();
   ClearCachedAP();
 }
 
diff --git a/core/fpdfdoc/cpdf_annotlist.cpp b/core/fpdfdoc/cpdf_annotlist.cpp
index 61122ed59b..631978175c 100644
--- a/core/fpdfdoc/cpdf_annotlist.cpp
+++ b/core/fpdfdoc/cpdf_annotlist.cpp
@@ -43,7 +43,7 @@ std::unique_ptr<CPDF_Annot> CreatePopupAnnot(CPDF_Annot* pAnnot,
   pAnnotDict->SetAtInteger("F", 0);
 
   std::unique_ptr<CPDF_Annot> pPopupAnnot(
-      new CPDF_Annot(pAnnotDict, pDocument));
+      new CPDF_Annot(pAnnotDict, pDocument, true));
   pAnnot->SetPopupAnnot(pPopupAnnot.get());
   return pPopupAnnot;
 }
@@ -83,7 +83,7 @@ CPDF_AnnotList::CPDF_AnnotList(CPDF_Page* pPage)
       continue;
 
     m_AnnotList.push_back(
-        std::unique_ptr<CPDF_Annot>(new CPDF_Annot(pDict, m_pDocument)));
+        std::unique_ptr<CPDF_Annot>(new CPDF_Annot(pDict, m_pDocument, false)));
     if (bRegenerateAP && pDict->GetStringBy("Subtype") == "Widget" &&
         CPDF_InterForm::IsUpdateAPEnabled()) {
       FPDF_GenerateAP(m_pDocument, pDict);
diff --git a/core/fpdfdoc/include/cpdf_annot.h b/core/fpdfdoc/include/cpdf_annot.h
index 82b3d3ca31..eb9f02a717 100644
--- a/core/fpdfdoc/include/cpdf_annot.h
+++ b/core/fpdfdoc/include/cpdf_annot.h
@@ -72,7 +72,7 @@ class CPDF_Annot {
       const CFX_ByteString& sSubtype);
   static CFX_ByteString AnnotSubtypeToString(CPDF_Annot::Subtype nSubtype);
 
-  CPDF_Annot(CPDF_Dictionary* pDict, CPDF_Document* pDocument);
+  CPDF_Annot(CPDF_Dictionary* pDict, CPDF_Document* pDocument, bool bToOwnDict);
   ~CPDF_Annot();
 
   CPDF_Annot::Subtype GetSubtype() const;
@@ -101,7 +101,11 @@ class CPDF_Annot {
  private:
   void GenerateAPIfNeeded();
 
-  CPDF_Dictionary* const m_pAnnotDict;
+  // For regular annotations, |m_pAnnotDict| is not owned. For
+  // our artificially created popup annotations, |m_pAnnotDict|
+  // is owned by this class.
+  bool m_bOwnedAnnotDict;
+  CPDF_Dictionary* m_pAnnotDict;
   CPDF_Document* const m_pDocument;
   CPDF_Annot::Subtype m_nSubtype;
   std::map<CPDF_Stream*, std::unique_ptr<CPDF_Form>> m_APMap;