From bd292ae8c0ca1793e8824add13bc8231cec3bc75 Mon Sep 17 00:00:00 2001
From: Oliver Chang <ochang@chromium.org>
Date: Wed, 13 Jan 2016 18:46:09 -0800
Subject: Merge to XFA: Fix some iterator invalidation issues while traversing
 CPDF_Dictionary.

Also fixes a potential issue in CPDF_Dictionary::ReplaceKey.

TBR=thestig@chromium.org
BUG=577030

Original Review URL: https://codereview.chromium.org/1582963003 .

(cherry picked from commit cae57daaa0f7ed4c92e22c4e7ef30392393d1128)

Review URL: https://codereview.chromium.org/1587703003 .
---
 core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp | 3 +++
 core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp  | 8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

(limited to 'core/src/fpdfapi/fpdf_parser')

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index e0ce3faadf..cad8d7701d 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -734,6 +734,9 @@ void CPDF_Dictionary::ReplaceKey(const CFX_ByteStringC& oldkey,
   // Avoid 2 constructions of CFX_ByteString.
   CFX_ByteString newkey_bytestring = newkey;
   auto new_it = m_Map.find(newkey_bytestring);
+  if (new_it == old_it)
+    return;
+
   if (new_it != m_Map.end()) {
     new_it->second->Release();
     new_it->second = old_it->second;
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 73da3619bb..6f0fc76fc0 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -885,9 +885,11 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() {
                       if (!pRoot ||
                           (pRef && IsValidObjectNumber(pRef->GetRefObjNum()) &&
                            m_ObjectInfo[pRef->GetRefObjNum()].pos != 0)) {
-                        for (const auto& it : *pTrailer) {
-                          const CFX_ByteString& key = it.first;
-                          CPDF_Object* pElement = it.second;
+                        auto it = pTrailer->begin();
+                        while (it != pTrailer->end()) {
+                          const CFX_ByteString& key = it->first;
+                          CPDF_Object* pElement = it->second;
+                          ++it;
                           FX_DWORD dwObjNum =
                               pElement ? pElement->GetObjNum() : 0;
                           if (dwObjNum) {
-- 
cgit v1.2.3