From 5a399de2945d7b244802565d8e9d2f6e662561da Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Tue, 20 Sep 2016 13:23:21 -0700
Subject: Make CPDF_Array not do indirect object creation.

We remove the indirect object holder argument and check that
call sites pass ownable objects, adding a reference in one
place that always was passing an indirect object.

Also check that the invariant isn't violated, we need to fail
here in the wild and investigate -- these are existing UAFs.

Review-Url: https://codereview.chromium.org/2355083002
---
 core/fpdfapi/fpdf_parser/cpdf_document.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core/fpdfapi/fpdf_parser/cpdf_document.cpp')

diff --git a/core/fpdfapi/fpdf_parser/cpdf_document.cpp b/core/fpdfapi/fpdf_parser/cpdf_document.cpp
index 020e3544e9..bd11ed26e6 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_document.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_document.cpp
@@ -302,7 +302,7 @@ int InsertNewPage(CPDF_Document* pDoc,
       pPagesList = new CPDF_Array;
       pPages->SetFor("Kids", pPagesList);
     }
-    pPagesList->Add(pPageDict, pDoc);
+    pPagesList->Add(new CPDF_Reference(pDoc, pPageDict->GetObjNum()));
     pPages->SetIntegerFor("Count", nPages + 1);
     pPageDict->SetReferenceFor("Parent", pDoc, pPages->GetObjNum());
   } else {
-- 
cgit v1.2.3