From 5a399de2945d7b244802565d8e9d2f6e662561da Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Tue, 20 Sep 2016 13:23:21 -0700
Subject: Make CPDF_Array not do indirect object creation.

We remove the indirect object holder argument and check that
call sites pass ownable objects, adding a reference in one
place that always was passing an indirect object.

Also check that the invariant isn't violated, we need to fail
here in the wild and investigate -- these are existing UAFs.

Review-Url: https://codereview.chromium.org/2355083002
---
 core/fpdfapi/fpdf_edit/fpdf_edit_create.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'core/fpdfapi/fpdf_edit/fpdf_edit_create.cpp')

diff --git a/core/fpdfapi/fpdf_edit/fpdf_edit_create.cpp b/core/fpdfapi/fpdf_edit/fpdf_edit_create.cpp
index 45b8711efd..c43306317a 100644
--- a/core/fpdfapi/fpdf_edit/fpdf_edit_create.cpp
+++ b/core/fpdfapi/fpdf_edit/fpdf_edit_create.cpp
@@ -1940,7 +1940,7 @@ void CPDF_Creator::InitID(FX_BOOL bDefault) {
       std::vector<uint8_t> buffer =
           PDF_GenerateFileID((uint32_t)(uintptr_t) this, m_dwLastObjNum);
       CFX_ByteString bsBuffer(buffer.data(), buffer.size());
-      m_pIDArray->Add(new CPDF_String(bsBuffer, TRUE), m_pDocument);
+      m_pIDArray->Add(new CPDF_String(bsBuffer, TRUE));
     }
   }
   if (!bDefault) {
@@ -1955,7 +1955,7 @@ void CPDF_Creator::InitID(FX_BOOL bDefault) {
     std::vector<uint8_t> buffer =
         PDF_GenerateFileID((uint32_t)(uintptr_t) this, m_dwLastObjNum);
     CFX_ByteString bsBuffer(buffer.data(), buffer.size());
-    m_pIDArray->Add(new CPDF_String(bsBuffer, TRUE), m_pDocument);
+    m_pIDArray->Add(new CPDF_String(bsBuffer, TRUE));
     return;
   }
   m_pIDArray->Add(m_pIDArray->GetObjectAt(0)->Clone());
-- 
cgit v1.2.3