From 5a399de2945d7b244802565d8e9d2f6e662561da Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Tue, 20 Sep 2016 13:23:21 -0700
Subject: Make CPDF_Array not do indirect object creation.

We remove the indirect object holder argument and check that
call sites pass ownable objects, adding a reference in one
place that always was passing an indirect object.

Also check that the invariant isn't violated, we need to fail
here in the wild and investigate -- these are existing UAFs.

Review-Url: https://codereview.chromium.org/2355083002
---
 fpdfsdk/fpdfsave.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'fpdfsdk/fpdfsave.cpp')

diff --git a/fpdfsdk/fpdfsave.cpp b/fpdfsdk/fpdfsave.cpp
index 307163d1af..e5938b2542 100644
--- a/fpdfsdk/fpdfsave.cpp
+++ b/fpdfsdk/fpdfsave.cpp
@@ -185,10 +185,10 @@ bool SaveXFADocumentData(CPDFXFA_Document* pDocument,
       } else {
         CPDF_Stream* pData = new CPDF_Stream;
         pData->InitStreamFromFile(pDsfileWrite.get(), pDataDict);
-        pPDFDocument->AddIndirectObject(pData);
+        uint32_t objnum = pPDFDocument->AddIndirectObject(pData);
         iLast = pArray->GetCount() - 2;
         pArray->InsertAt(iLast, new CPDF_String("datasets", FALSE));
-        pArray->InsertAt(iLast + 1, pData, pPDFDocument);
+        pArray->InsertAt(iLast + 1, new CPDF_Reference(pPDFDocument, objnum));
       }
       fileList->push_back(std::move(pDsfileWrite));
     }
@@ -206,10 +206,10 @@ bool SaveXFADocumentData(CPDFXFA_Document* pDocument,
       } else {
         CPDF_Stream* pData = new CPDF_Stream;
         pData->InitStreamFromFile(pfileWrite.get(), pDataDict);
-        pPDFDocument->AddIndirectObject(pData);
+        uint32_t objnum = pPDFDocument->AddIndirectObject(pData);
         iLast = pArray->GetCount() - 2;
         pArray->InsertAt(iLast, new CPDF_String("form", FALSE));
-        pArray->InsertAt(iLast + 1, pData, pPDFDocument);
+        pArray->InsertAt(iLast + 1, new CPDF_Reference(pPDFDocument, objnum));
       }
       fileList->push_back(std::move(pfileWrite));
     }
-- 
cgit v1.2.3