Assert that only 0-numbered objects are Released()

core/fpdfapi/fpdf_parser/cpdf_parser.cpp

 // Copyright 2016 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "core/fpdfapi/fpdf_parser/cpdf_parser.h"
 
 #include <vector>
 
@@ skipping 938 matching lines @@
   if (last_xref != -1 && last_xref > last_obj)
     last_trailer = last_xref;
   else if (last_trailer == -1 || last_xref < last_obj)
     last_trailer = m_pSyntax->m_FileLen;
 
   m_SortedOffset.insert(last_trailer - m_pSyntax->m_HeaderOffset);
   return m_pTrailer && !m_ObjectInfo.empty();
 }
 
 FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, FX_BOOL bMainXRef) {
-  CPDF_Object* pObject = ParseIndirectObjectAt(m_pDocument, *pos, 0);
+  std::unique_ptr<CPDF_Object> pObject(
+      ParseIndirectObjectAt(m_pDocument, *pos, 0));
   if (!pObject)
     return FALSE;
 
   if (m_pDocument) {
     CPDF_Dictionary* pRootDict = m_pDocument->GetRoot();
-    if (pRootDict && pRootDict->GetObjNum() == pObject->m_ObjNum) {
-      // If |pObject| has an objnum assigned then this will leak as Release()
-      // will early exit.
-      if (pObject->IsStream())
-        pObject->Release();
+    if (pRootDict && pRootDict->GetObjNum() == pObject->m_ObjNum)
       return FALSE;
-    }
-    if (!m_pDocument->ReplaceIndirectObjectIfHigherGeneration(pObject->m_ObjNum,
-                                                              pObject)) {
-      return FALSE;
-    }
   }
 
   CPDF_Stream* pStream = pObject->AsStream();

[Lei Zhang, 2016/09/30 23:49:01]

Do you know if |pObject| is expected to be a stream? Can we move this up to line
963 and bail out early if it's not a stream? Then the if (m_pDocument) block
that has now been split in two can become one again.

[Tom Sepez, 2016/10/01 00:13:11]

Done.

   if (!pStream)
     return FALSE;
 
+  if (m_pDocument) {
+    // Takes ownership of object (std::move someday).
+    uint32_t objnum = pObject->m_ObjNum;
+    if (!m_pDocument->ReplaceIndirectObjectIfHigherGeneration(

[Lei Zhang, 2016/09/30 23:49:01]

Or should this stay up with the other if (m_pDocument) block? By moving this
down, do we miss out on objects with higher generation numbers?

[Tom Sepez, 2016/10/01 00:13:11]

Done.

[Lei Zhang, 2016/10/01 01:24:06]

So I still wonder if changing the order of AsStream() and
ReplaceIndirectObjectIfHigherGeneration() will effect parsing of PDFs with
objects with generation numbers. I'm worried we don't have enough test coverage
there.

[Tom Sepez, 2016/10/03 17:35:05]

Done.

+            objnum, pObject.release())) {
+      return FALSE;
+    }
+  }
+
   CPDF_Dictionary* pDict = pStream->GetDict();
   *pos = pDict->GetIntegerFor("Prev");
   int32_t size = pDict->GetIntegerFor("Size");
-  if (size < 0) {
-    pStream->Release();
+  if (size < 0)
     return FALSE;
-  }
 
   CPDF_Dictionary* pNewTrailer = ToDictionary(pDict->Clone());
   if (bMainXRef) {
     m_pTrailer = pNewTrailer;
     ShrinkObjectMap(size);
     for (auto& it : m_ObjectInfo)
       it.second.type = 0;
   } else {
     m_Trailers.Add(pNewTrailer);
   }
@@ skipping 11 matching lines @@
         if (nStartNum >= 0 && nCount > 0)
           arrIndex.push_back(std::make_pair(nStartNum, nCount));
       }
     }
   }
 
   if (arrIndex.size() == 0)
     arrIndex.push_back(std::make_pair(0, size));
 
   pArray = pDict->GetArrayFor("W");
-  if (!pArray) {
-    pStream->Release();
+  if (!pArray)
     return FALSE;
-  }
 
   CFX_ArrayTemplate<uint32_t> WidthArray;
   FX_SAFE_UINT32 dwAccWidth = 0;
   for (size_t i = 0; i < pArray->GetCount(); ++i) {
     WidthArray.Add(pArray->GetIntegerAt(i));
     dwAccWidth += WidthArray[i];
   }
 
-  if (!dwAccWidth.IsValid() || WidthArray.GetSize() < 3) {
-    pStream->Release();
+  if (!dwAccWidth.IsValid() || WidthArray.GetSize() < 3)
     return FALSE;
-  }
 
   uint32_t totalWidth = dwAccWidth.ValueOrDie();
   CPDF_StreamAcc acc;
   acc.LoadAllData(pStream);
 
   const uint8_t* pData = acc.GetData();
   uint32_t dwTotalSize = acc.GetSize();
   uint32_t segindex = 0;
   for (uint32_t i = 0; i < arrIndex.size(); i++) {
     int32_t startnum = arrIndex[i].first;
@@ skipping 39 matching lines @@
       m_ObjectInfo[startnum + j].type = type;
       if (type == 0) {
         m_ObjectInfo[startnum + j].pos = 0;
       } else {
         FX_FILESIZE offset =
             GetVarInt(entrystart + WidthArray[0], WidthArray[1]);
         m_ObjectInfo[startnum + j].pos = offset;
         if (type == 1) {
           m_SortedOffset.insert(offset);
         } else {
-          if (offset < 0 || !IsValidObjectNumber(offset)) {
-            pStream->Release();
+          if (offset < 0 || !IsValidObjectNumber(offset))
             return FALSE;
-          }
           m_ObjectInfo[offset].type = 255;
         }
       }
     }
     segindex += count;
   }
-  pStream->Release();
   return TRUE;
 }
 
 CPDF_Array* CPDF_Parser::GetIDArray() {
   CPDF_Object* pID = m_pTrailer ? m_pTrailer->GetObjectFor("ID") : nullptr;
   if (!pID)
     return nullptr;
 
   if (CPDF_Reference* pRef = pID->AsReference()) {
     pID = ParseIndirectObject(nullptr, pRef->GetRefObjNum());
@@ skipping 512 matching lines @@
   if (!LoadLinearizedAllCrossRefV4(m_LastXRefOffset, m_dwXrefStartObjNum) &&
       !LoadLinearizedAllCrossRefV5(m_LastXRefOffset)) {
     m_LastXRefOffset = 0;
     m_pSyntax->m_MetadataObjnum = dwSaveMetadataObjnum;
     return FORMAT_ERROR;
   }
 
   m_pSyntax->m_MetadataObjnum = dwSaveMetadataObjnum;
   return SUCCESS;
 }