podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp)

[Agostino Sarubbo <ago () gentoo org>]

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a NULL pointer access. The upstream project denies me 
to open a new ticket. So, I’m unable to communicate with them.

The complete ASan output:

# podofopdfinfo $FILE
==24654==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x0000005149a7 bp 0x7ffe59e91e70 sp 0x7ffe59e91d80 T0)
==24654==The signal is caused by a READ memory access.
==24654==Hint: address points to the zero page.
    #0 0x5149a6 in PdfInfo::GuessFormat() /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:210:19
    #1 0x512351 in PdfInfo::OutputDocumentInfo(std::ostream&) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:40:35
    #2 0x522132 in main /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/podofopdfinfo.cpp:117:18
    #3 0x7fcaaf4b861f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x41e8f8 in _start (/usr/bin/podofopdfinfo+0x41e8f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:210:19 in 
PdfInfo::GuessFormat()
==24654==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00133-podofo-nullptr-pdfinfo-cpp

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp

-- 
Agostino Sarubbo
Gentoo Linux Developer