Created attachment 1432515 [details]
crash demo file

Description of problem:
The function PdfPage::GetPageNumber() in PdfPage.cpp:538 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.


Detailed analysis of crash:

$ gdb podofopdfinfo
(gdb) r crash1.pdf
Starting program: /home/zzuf/pdf-fuzz/crash/podofopdfinfo crash1.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Document Info
-------------
	File: crash1.pdf
	PDF Version: 1.4
	Page Count: 3

	Fast Web View Enabled: No
	Tagged: No
	Encrypted: No
	Printing Allowed: Yes
	Modification Allowed: Yes
	Copy&Paste Allowed: Yes
	Add/Modify Annotations Allowed: Yes
	Fill&Sign Allowed: Yes
	Accessibility Allowed: Yes
	Document Assembly Allowed: Yes
	High Quality Print Allowed: Yes

Classic Metadata
----------------
	Author: Jonas Jenwald
	Creator: LaTeX with hyperref package
	Subject: 
	Title: Issue 6204 - reduced
	Keywords: 
	Trapped: #FF000#1B00000000000#0D

Page Info
---------
Page Count: 3
Page 0:

Program received signal SIGSEGV, Segmentation fault.
PoDoFo::PdfPage::GetPageNumber (this=0x8079108)
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPage.cpp:538
538	                if( pNode->GetDictionary().GetKey( PdfName::KeyType ) != NULL 


(gdb) list
533	
534	            while( it != kids.end() && (*it).GetReference() != ref )
535	            {
536	                PdfObject* pNode = this->GetObject()->GetOwner()->GetObject( (*it).GetReference() );
537	
538	                if( pNode->GetDictionary().GetKey( PdfName::KeyType ) != NULL 
539	                    && pNode->GetDictionary().GetKey( PdfName::KeyType )->GetName() == PdfName( "Pages" ) )
540	                {
541	                    PdfObject* pCount = pNode->GetIndirectKey( "Count" );
542	                    if( pCount != NULL ) {


(gdb) i r
eax            0x0	0
ecx            0x0	0
edx            0x8070748	134678344
ebx            0xb7fce000	-1208164352
esp            0xbfffed60	0xbfffed60
ebp            0xbfffee68	0xbfffee68
esi            0x8079108	134713608
edi            0x0	0
eip            0xb7ec9f0c	0xb7ec9f0c <PoDoFo::PdfPage::GetPageNumber() const+2172>
eflags         0x10286	[ PF SF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51


(gdb) disassemble /m $pc
Dump of assembler code for function PoDoFo::PdfPage::GetPageNumber() const:
...
535	            {
536	                PdfObject* pNode = this->GetObject()->GetOwner()->GetObject( (*it).GetReference() );
   0xb7ec9ef4 <+2148>:	sub    $0x8,%esp
   0xb7ec9ef7 <+2151>:	push   %esi
   0xb7ec9ef8 <+2152>:	mov    -0xd8(%ebp),%esi
   0xb7ec9efe <+2158>:	mov    0x4(%esi),%edx
   0xb7ec9f01 <+2161>:	pushl  0x28(%edx)
   0xb7ec9f04 <+2164>:	call   0xb7bdac70 <_ZNK6PoDoFo13PdfVecObjects9GetObjectERKNS_12PdfReferenceE@plt>
   0xb7ec9f09 <+2169>:	add    $0x10,%esp
   0xb7ec9f10 <+2176>:	mov    %eax,%esi

537	
538	                if( pNode->GetDictionary().GetKey( PdfName::KeyType ) != NULL 
   0xb7ec97ec <+348>:	mov    -0x104(%ebx),%esi
   0xb7ec97f2 <+354>:	lea    -0x9c(%ebp),%ecx
   0xb7ec9814 <+388>:	mov    %esi,-0xc8(%ebp)
   0xb7ec981a <+394>:	lea    0x0(%esi),%esi
   0xb7ec9a18 <+904>:	lea    -0x10(%esp),%esp

Version-Release number of selected component (if applicable):
podofo 0.95

How reproducible:
use podofo/tools/podofopdfinfo to read the attached poc file.

Steps to Reproduce:
1. podofopdfinfo $POC
2.
3.

Actual results:


Expected results:


Additional info: