diff options
author | tsepez <tsepez@chromium.org> | 2016-09-23 12:21:10 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-23 12:21:10 -0700 |
commit | 7757143c12c972c9b0813b5b53cecba33544e7f8 (patch) | |
tree | 80970d1293d42cb93254fa35ac8293776e0b16e9 /core | |
parent | 4dd613cb51c1d77ac2998f760325ed5b93f4ebf0 (diff) | |
download | pdfium-7757143c12c972c9b0813b5b53cecba33544e7f8.tar.xz |
Avoid collisions in CPDF_IndirectObjectHolder::AddIndirectObject()
The change at 5b7c9bb differed from the original code in
that a pre-existing object would now be freed, which showed
that a collision could be possible if m_LastObjNum overflowed.
BUG=649206
Review-Url: https://codereview.chromium.org/2361303002
Diffstat (limited to 'core')
-rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp b/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp index 800e34b3d1..0a15e2dce1 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp @@ -47,6 +47,7 @@ uint32_t CPDF_IndirectObjectHolder::AddIndirectObject(CPDF_Object* pObj) { return pObj->m_ObjNum; m_LastObjNum++; + m_IndirectObjs[m_LastObjNum].release(); // TODO(tsepez): stop this leak. m_IndirectObjs[m_LastObjNum].reset(pObj); pObj->m_ObjNum = m_LastObjNum; return m_LastObjNum; |