From a26b3289515acebc1e936234a1b076d4a9a3fca5 Mon Sep 17 00:00:00 2001
From: foxit <jun_fang@foxitsoftware.com>
Date: Mon, 7 Jul 2014 14:06:56 -0700
Subject: fix a crash issue in _CMapLookupCallback

BUG=382242
R=palmer@chromium.org

Review URL: https://codereview.chromium.org/341333004
---
 core/include/fpdfapi/fpdf_objects.h                  |  7 +++++++
 core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp | 10 ++++++++--
 core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp  |  1 +
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/core/include/fpdfapi/fpdf_objects.h b/core/include/fpdfapi/fpdf_objects.h
index a41ff087ca..1b7cb94583 100644
--- a/core/include/fpdfapi/fpdf_objects.h
+++ b/core/include/fpdfapi/fpdf_objects.h
@@ -49,6 +49,11 @@ public:
         return m_ObjNum;
     }
 
+    FX_DWORD                            GetGenNum() const
+    {
+        return m_GenNum;
+    }
+
     FX_BOOL					IsIdentical(CPDF_Object* pObj) const;
 
     CPDF_Object*			Clone(FX_BOOL bDirect = FALSE) const;
@@ -90,9 +95,11 @@ protected:
     CPDF_Object()
     {
         m_ObjNum = 0;
+        m_GenNum = 0;
     }
 
     FX_DWORD 				m_ObjNum;
+    FX_DWORD				m_GenNum;
 
     void					Destroy();
 
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index 6c93bcb39f..e945ab52a0 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -1271,9 +1271,15 @@ void CPDF_IndirectObjects::InsertIndirectObject(FX_DWORD objnum, CPDF_Object* pO
     if (objnum == 0 || pObj == NULL) {
         return;
     }
-    FX_LPVOID value;
+    FX_LPVOID value = NULL;
     if (m_IndirectObjs.Lookup((FX_LPVOID)(FX_UINTPTR)objnum, value)) {
-        ((CPDF_Object*)value)->Destroy();
+        if (value)
+        {
+            if (pObj->GetGenNum() <= ((CPDF_Object*)value)->GetGenNum())
+                return;
+            else 
+                ((CPDF_Object*)value)->Destroy();
+         }         
     }
     pObj->m_ObjNum = objnum;
     m_IndirectObjs.SetAt((FX_LPVOID)(FX_UINTPTR)objnum, pObj);
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index b9e535977d..3bfd37fe4a 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -1384,6 +1384,7 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects* pObjList,
     m_Syntax.RestorePos(SavedPos);
     if (pObj && !objnum) {
         pObj->m_ObjNum = real_objnum;
+        pObj->m_GenNum = gennum;
     }
     return pObj;
 }
-- 
cgit v1.2.3