Make CPDF_Array not do indirect object creation.

We remove the indirect object holder argument and check that
call sites pass ownable objects, adding a reference in one
place that always was passing an indirect object.

Also check that the invariant isn't violated, we need to fail
here in the wild and investigate -- these are existing UAFs.

Review-Url: https://codereview.chromium.org/2355083002

1 files changed, 4 insertions, 4 deletions

diff --git a/fpdfsdk/fpdfsave.cpp b/fpdfsdk/fpdfsave.cpp
index 307163d1af..e5938b2542 100644
--- a/fpdfsdk/fpdfsave.cpp
+++ b/fpdfsdk/fpdfsave.cpp
@@ -185,10 +185,10 @@ bool SaveXFADocumentData(CPDFXFA_Document* pDocument,
       } else {
         CPDF_Stream* pData = new CPDF_Stream;
         pData->InitStreamFromFile(pDsfileWrite.get(), pDataDict);
-        pPDFDocument->AddIndirectObject(pData);
+        uint32_t objnum = pPDFDocument->AddIndirectObject(pData);
         iLast = pArray->GetCount() - 2;
         pArray->InsertAt(iLast, new CPDF_String("datasets", FALSE));
-        pArray->InsertAt(iLast + 1, pData, pPDFDocument);
+        pArray->InsertAt(iLast + 1, new CPDF_Reference(pPDFDocument, objnum));
       }
       fileList->push_back(std::move(pDsfileWrite));
     }
@@ -206,10 +206,10 @@ bool SaveXFADocumentData(CPDFXFA_Document* pDocument,
       } else {
         CPDF_Stream* pData = new CPDF_Stream;
         pData->InitStreamFromFile(pfileWrite.get(), pDataDict);
-        pPDFDocument->AddIndirectObject(pData);
+        uint32_t objnum = pPDFDocument->AddIndirectObject(pData);
         iLast = pArray->GetCount() - 2;
         pArray->InsertAt(iLast, new CPDF_String("form", FALSE));
-        pArray->InsertAt(iLast + 1, pData, pPDFDocument);
+        pArray->InsertAt(iLast + 1, new CPDF_Reference(pPDFDocument, objnum));
       }
       fileList->push_back(std::move(pfileWrite));
     }