Add a regression test for a CPDF_StructElement crash. Add a test case to make sure creating and destroying a struct tree does not crash for certain trees. Bug: chromium:1296920 Change-Id: Idb907df086092b0b65569ac43914b7be082cfcb4 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/91030 Reviewed-by: Nigi <nigi@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>

commit: 4b169b804d59f2ff69cbc0adfcc59bc5d25bef74 [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Fri Feb 25 20:10:25 2022 +0000
committer: Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Fri Feb 25 20:10:25 2022 +0000
tree: 657623b30ae7e332b58dbe0ccf6a5f858390746c
parent: 0f4d71040738b3ce6a6d043740f4f7d00d1c7e3e [diff]
diff --git a/fpdfsdk/fpdf_structtree_embeddertest.cpp b/fpdfsdk/fpdf_structtree_embeddertest.cpp
index 1d90b90..fd2f25a 100644
--- a/fpdfsdk/fpdf_structtree_embeddertest.cpp
+++ b/fpdfsdk/fpdf_structtree_embeddertest.cpp

@@ -760,3 +760,19 @@
 
   UnloadPage(page);
 }
+
+TEST_F(FPDFStructTreeEmbedderTest, Bug1296920) {
+  ASSERT_TRUE(OpenDocument("bug_1296920.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  ASSERT_TRUE(page);
+
+  {
+    ScopedFPDFStructTree struct_tree(FPDF_StructTree_GetForPage(page));
+    ASSERT_TRUE(struct_tree);
+    ASSERT_EQ(1, FPDF_StructTree_CountChildren(struct_tree.get()));
+
+    // Destroying this tree should not crash.
+  }
+
+  UnloadPage(page);
+}

diff --git a/testing/resources/bug_1296920.in b/testing/resources/bug_1296920.in
new file mode 100644
index 0000000..5c9da58
--- /dev/null
+++ b/testing/resources/bug_1296920.in

@@ -0,0 +1,115 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /StructTreeRoot 6 0 R
+  /MarkInfo <<
+    /Marked true
+  >>
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+{{object 3 0}} <<
+  /Type /Page
+  /Contents 4 0 R
+  /MediaBox [0 0 100 100]
+  /Parent 2 0 R
+  /Resources <<
+    /Font <<
+      /F1 5 0 R
+    >>
+  >>
+  /StructParents 0
+>>
+endobj
+{{object 4 0}} <<
+  {{streamlen}}
+>>
+stream
+/P <</MCID 1>> BDC
+BT
+/F1 12 Tf
+1 0 0 1 20 50 Tm
+(Hello) Tj
+ET
+EMC
+/P <</MCID 2>> BDC
+BT
+/F1 12 Tf
+1 0 0 1 50 50 Tm
+(World) Tj
+ET
+EMC
+endstream
+endobj
+{{object 5 0}} <<
+  /Type /Font
+  /Subtype /Type1
+  /BaseFont /Helvetica
+>>
+endobj
+{{object 6 0}} <<
+  /Type /StructTreeRoot
+  /K [9 0 R]
+  /ParentTree 7 0 R
+>>
+endobj
+{{object 7 0}} <<
+  /Nums [0 8 0 R 1 10 0 R]
+>>
+endobj
+{{object 8 0}}
+[12 0 R 13 0 R]
+endobj
+{{object 9 0}} <<
+  /Type /StructElem
+  /S /Document
+  /P 6 0 R
+  /K [10 0 R]
+>>
+endobj
+{{object 10 0}} <<
+  /Type /StructElem
+  /S /Part
+  /P 9 0 R
+  /K [11 0 R]
+>>
+endobj
+{{object 11 0}} <<
+  /Type /StructElem
+  /S /Div
+  /P 10 0 R
+  /K [12 0 R 13 0 R 14 0 R]
+>>
+endobj
+{{object 12 0}} <<
+  /Type /StructElem
+  /S /P
+  /P 11 0 R
+  /K 1
+  /Pg 3 0 R
+>>
+endobj
+{{object 13 0}} <<
+  /Type /StructElem
+  /S /P
+  /P 11 0 R
+  /K 2
+  /Pg 3 0 R
+>>
+endobj
+{{object 14 0}} <<
+  /Type /StructElem
+  /S /Div
+  /P 11 0 R
+>>
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

diff --git a/testing/resources/bug_1296920.pdf b/testing/resources/bug_1296920.pdf
new file mode 100644
index 0000000..92d778c
--- /dev/null
+++ b/testing/resources/bug_1296920.pdf

@@ -0,0 +1,136 @@
+%PDF-1.7
+% ò¤ô
+1 0 obj <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /StructTreeRoot 6 0 R
+  /MarkInfo <<
+    /Marked true
+  >>
+>>
+endobj
+2 0 obj <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+3 0 obj <<
+  /Type /Page
+  /Contents 4 0 R
+  /MediaBox [0 0 100 100]
+  /Parent 2 0 R
+  /Resources <<
+    /Font <<
+      /F1 5 0 R
+    >>
+  >>
+  /StructParents 0
+>>
+endobj
+4 0 obj <<
+  /Length 134
+>>
+stream
+/P <</MCID 1>> BDC
+BT
+/F1 12 Tf
+1 0 0 1 20 50 Tm
+(Hello) Tj
+ET
+EMC
+/P <</MCID 2>> BDC
+BT
+/F1 12 Tf
+1 0 0 1 50 50 Tm
+(World) Tj
+ET
+EMC
+endstream
+endobj
+5 0 obj <<
+  /Type /Font
+  /Subtype /Type1
+  /BaseFont /Helvetica
+>>
+endobj
+6 0 obj <<
+  /Type /StructTreeRoot
+  /K [9 0 R]
+  /ParentTree 7 0 R
+>>
+endobj
+7 0 obj <<
+  /Nums [0 8 0 R 1 10 0 R]
+>>
+endobj
+8 0 obj
+[12 0 R 13 0 R]
+endobj
+9 0 obj <<
+  /Type /StructElem
+  /S /Document
+  /P 6 0 R
+  /K [10 0 R]
+>>
+endobj
+10 0 obj <<
+  /Type /StructElem
+  /S /Part
+  /P 9 0 R
+  /K [11 0 R]
+>>
+endobj
+11 0 obj <<
+  /Type /StructElem
+  /S /Div
+  /P 10 0 R
+  /K [12 0 R 13 0 R 14 0 R]
+>>
+endobj
+12 0 obj <<
+  /Type /StructElem
+  /S /P
+  /P 11 0 R
+  /K 1
+  /Pg 3 0 R
+>>
+endobj
+13 0 obj <<
+  /Type /StructElem
+  /S /P
+  /P 11 0 R
+  /K 2
+  /Pg 3 0 R
+>>
+endobj
+14 0 obj <<
+  /Type /StructElem
+  /S /Div
+  /P 11 0 R
+>>
+endobj
+xref
+0 15
+0000000000 65535 f 
+0000000015 00000 n 
+0000000129 00000 n 
+0000000192 00000 n 
+0000000363 00000 n 
+0000000549 00000 n 
+0000000625 00000 n 
+0000000703 00000 n 
+0000000751 00000 n 
+0000000782 00000 n 
+0000000863 00000 n 
+0000000941 00000 n 
+0000001033 00000 n 
+0000001114 00000 n 
+0000001195 00000 n 
+trailer <<
+  /Root 1 0 R
+  /Size 15
+>>
+startxref
+1259
+%%EOF
commit	4b169b804d59f2ff69cbc0adfcc59bc5d25bef74	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Fri Feb 25 20:10:25 2022 +0000
committer	Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>	Fri Feb 25 20:10:25 2022 +0000
tree	657623b30ae7e332b58dbe0ccf6a5f858390746c
parent	0f4d71040738b3ce6a6d043740f4f7d00d1c7e3e [diff]