Handle object ID 0 (fixes #99)

This is CVE-2017-9208.

The QPDF library uses object ID 0 internally as a sentinel to
represent a direct object, but prior to this fix, was not blocking
handling of 0 0 obj or 0 0 R as a special case. Creating an object in
the file with 0 0 obj could cause various infinite loops. The PDF spec
doesn't allow for object 0. Having qpdf handle object 0 might be a
better fix, but changing all the places in the code that assumes objid
== 0 means direct would be risky.

2 files changed, 18 insertions, 0 deletions

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index a50c87ad..846f188f 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -1350,6 +1350,14 @@ QPDF::readObjectAtOffset(bool try_recovery,
 	objid = atoi(tobjid.getValue().c_str());
 	generation = atoi(tgen.getValue().c_str());
 
+        if (objid == 0)
+        {
+            QTC::TC("qpdf", "QPDF object id 0");
+            throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+                          this->last_object_description, offset,
+                          "object with ID 0");
+        }
+
 	if ((exp_objid >= 0) &&
 	    (! ((objid == exp_objid) && (generation == exp_generation))))
 	{
diff --git a/libqpdf/QPDFObjectHandle.cc b/libqpdf/QPDFObjectHandle.cc
index 687ba439..cd3084cb 100644
--- a/libqpdf/QPDFObjectHandle.cc
+++ b/libqpdf/QPDFObjectHandle.cc
@@ -1089,6 +1089,16 @@ QPDFObjectHandle::parseInternal(PointerHolder<InputSource> input,
 QPDFObjectHandle
 QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation)
 {
+    if (objid == 0)
+    {
+        // Special case: QPDF uses objid 0 as a sentinel for direct
+        // objects, and the PDF specification doesn't allow for object
+        // 0. Treat indirect references to object 0 as null so that we
+        // never create an indirect object with objid 0.
+        QTC::TC("qpdf", "QPDFObjectHandle indirect with 0 objid");
+        return newNull();
+    }
+
     return QPDFObjectHandle(qpdf, objid, generation);
 }