Created attachment 1432992 [details]
crash demo file

Description of problem:
The function PdfDocument::Append() in PdfDocument.cpp:327 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.



Detailed analysis of crash:
$ gdb podofomerge 
(gdb) r crash1.pdf crash1.pdf out.pdf
Starting program: /home/zzuf/pdf-fuzz/podofo/tools/podofomerge/podofomerge crash1.pdf crash1.pdf out.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Reading file: crash1.pdf
WARNING: There are more objects (85) in this XRef table than specified in the size key of the trailer directory (9)!
WARNING: There are more objects (86) in this XRef table than specified in the size key of the trailer directory (85)!
WARNING: There are more objects (87) in this XRef table than specified in the size key of the trailer directory (86)!
WARNING: There are more objects (88) in this XRef table than specified in the size key of the trailer directory (87)!
WARNING: There are more objects (99) in this XRef table than specified in the size key of the trailer directory (88)!
WARNING: There are more objects (100) in this XRef table than specified in the size key of the trailer directory (99)!
WARNING: There are more objects (101) in this XRef table than specified in the size key of the trailer directory (100)!
WARNING: There are more objects (102) in this XRef table than specified in the size key of the trailer directory (101)!
WARNING: There are more objects (103) in this XRef table than specified in the size key of the trailer directory (102)!
<</Root 98 0 R/Size 9>>
Reading file: crash1.pdf
WARNING: There are more objects (85) in this XRef table than specified in the size key of the trailer directory (9)!
WARNING: There are more objects (86) in this XRef table than specified in the size key of the trailer directory (85)!
WARNING: There are more objects (87) in this XRef table than specified in the size key of the trailer directory (86)!
WARNING: There are more objects (88) in this XRef table than specified in the size key of the trailer directory (87)!
WARNING: There are more objects (99) in this XRef table than specified in the size key of the trailer directory (88)!
WARNING: There are more objects (100) in this XRef table than specified in the size key of the trailer directory (99)!
WARNING: There are more objects (101) in this XRef table than specified in the size key of the trailer directory (100)!
WARNING: There are more objects (102) in this XRef table than specified in the size key of the trailer directory (101)!
WARNING: There are more objects (103) in this XRef table than specified in the size key of the trailer directory (102)!
<</Root 98 0 R/Size 9>>
Appending 2 pages on a document with 2 pages.
Fixing references in 103 1 R by 102
Fixing references in 186 0 R by 102
Fixing references in 187 0 R by 102
Fixing references in 188 0 R by 102
Fixing references in 189 0 R by 102
Fixing references in 200 0 R by 102
Fixing references in 201 0 R by 102
Fixing references in 202 0 R by 102
Fixing references in 203 0 R by 102
Fixing references in 204 0 R by 102
CRITICAL: Cannot find page 1 or page 1 has no parents. Cannot insert new page.
Program received signal SIGSEGV, Segmentation fault.
0xb7dab770 in PoDoFo::PdfDocument::Append (this=0xbfffed9c, rDoc=..., 
    bAppendAll=true)
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfDocument.cpp:327
327	            PdfPage*      pPage = rDoc.GetPage( i );



(gdb) list
323	
324	        // append all pages now to our page tree
325	        for(int i=0;i<rDoc.GetPageCount();i++ )
326	        {
327	            PdfPage*      pPage = rDoc.GetPage( i );
328	            PdfObject*    pObj  = m_vecObjects.GetObject( PdfReference( pPage->GetObject()->Reference().ObjectNumber() + difference, pPage->GetObject()->Reference().GenerationNumber() ) );
329	            if( pObj->IsDictionary() && pObj->GetDictionary().HasKey( "Parent" ) )
330	                pObj->GetDictionary().RemoveKey( "Parent" );
331	



(gdb) i r
eax            0x0	0
ecx            0x0	0
edx            0x0	0
ebx            0xb7fce000	-1208164352
esp            0xbfffebf0	0xbfffebf0
ebp            0xbfffed68	0xbfffed68
esi            0xbfffee84	-1073746300
edi            0x8066a80	134638208
eip            0xb7dab770	0xb7dab770 <PoDoFo::PdfDocument::Append(PoDoFo::PdfMemDocument const&, bool)+3712>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51



(gdb) disassemble /m $pc
Dump of assembler code for function PoDoFo::PdfDocument::Append(PoDoFo::PdfMemDocument const&, bool):
...
326	        {
327	            PdfPage*      pPage = rDoc.GetPage( i );
   0xb7dab760 <+3696>:	sub    $0x8,%esp
   0xb7dab763 <+3699>:	push   %ecx
   0xb7dab764 <+3700>:	push   %esi
   0xb7dab765 <+3701>:	call   0xb7bd9b20 <_ZNK6PoDoFo11PdfDocument7GetPageEi@plt>
   0xb7dab76a <+3706>:	mov    %eax,-0x140(%ebp)
=> 0xb7dab770 <+3712>:	mov    0x4(%eax),%eax       //!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

328	            PdfObject*    pObj  = m_vecObjects.GetObject( PdfReference( pPage->GetObject()->Reference().ObjectNumber() + difference, pPage->GetObject()->Reference().GenerationNumber() ) );
   0xb7dab779 <+3721>:	mov    -0x144(%ebp),%edi
   0xb7dab789 <+3737>:	add    0x20(%eax),%edi
   0xb7dab795 <+3749>:	mov    -0x148(%ebp),%eax
   0xb7dab7a2 <+3762>:	mov    -0x13c(%ebp),%esi


How reproducible:

use podofomerge to read the attached poc file.

Steps to Reproduce:
1. podofomerge crash1.pdf crash1.pdf out.pdf