From 7757143c12c972c9b0813b5b53cecba33544e7f8 Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Fri, 23 Sep 2016 12:21:10 -0700
Subject: Avoid collisions in CPDF_IndirectObjectHolder::AddIndirectObject()

The change at 5b7c9bb differed from the original code in
that a pre-existing object would now be freed, which showed
that a collision could be possible if m_LastObjNum overflowed.

BUG=649206

Review-Url: https://codereview.chromium.org/2361303002
---
 core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'core')

diff --git a/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp b/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp
index 800e34b3d1..0a15e2dce1 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp
@@ -47,6 +47,7 @@ uint32_t CPDF_IndirectObjectHolder::AddIndirectObject(CPDF_Object* pObj) {
     return pObj->m_ObjNum;
 
   m_LastObjNum++;
+  m_IndirectObjs[m_LastObjNum].release();  // TODO(tsepez): stop this leak.
   m_IndirectObjs[m_LastObjNum].reset(pObj);
   pObj->m_ObjNum = m_LastObjNum;
   return m_LastObjNum;
-- 
cgit v1.2.3