Handle object ID 0 (fixes #99)

This is CVE-2017-9208.

The QPDF library uses object ID 0 internally as a sentinel to
represent a direct object, but prior to this fix, was not blocking
handling of 0 0 obj or 0 0 R as a special case. Creating an object in
the file with 0 0 obj could cause various infinite loops. The PDF spec
doesn't allow for object 0. Having qpdf handle object 0 might be a
better fix, but changing all the places in the code that assumes objid
== 0 means direct would be risky.

6 files changed, 94 insertions, 1 deletions

diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov
index d43939ea..f3ddd60d 100644
--- a/qpdf/qpdf.testcov
+++ b/qpdf/qpdf.testcov
@@ -273,3 +273,6 @@ QPDFWriter standard deterministic ID 1
 QPDFWriter linearized deterministic ID 1
 QPDFWriter deterministic with no data 0
 qpdf-c called qpdf_set_deterministic_ID 0
+QPDFObjectHandle indirect with 0 objid 0
+QPDF object id 0 0
+QPDF caught recursive xref reconstruction 0
diff --git a/qpdf/qtest/qpdf.test b/qpdf/qtest/qpdf.test
index dd8dad30..c45215fa 100644
--- a/qpdf/qtest/qpdf.test
+++ b/qpdf/qtest/qpdf.test
@@ -206,7 +206,7 @@ $td->runtest("remove page we don't have",
 show_ntests();
 # ----------
 $td->notify("--- Miscellaneous Tests ---");
-$n_tests += 79;
+$n_tests += 81;
 
 $td->runtest("qpdf version",
 	     {$td->COMMAND => "qpdf --version"},
@@ -220,6 +220,8 @@ $td->runtest("C API: qpdf version",
 
 # Files to reproduce various bugs
 foreach my $d (
+    ["99", "object 0"],
+    ["99b", "object 0"],
     ["100","xref reconstruction loop"],
     ["101", "resolve for exception text"],
     )
diff --git a/qpdf/qtest/qpdf/issue-99.out b/qpdf/qtest/qpdf/issue-99.out
new file mode 100644
index 00000000..89d6e174
--- /dev/null
+++ b/qpdf/qtest/qpdf/issue-99.out
@@ -0,0 +1,4 @@
+WARNING: issue-99.pdf: file is damaged
+WARNING: issue-99.pdf (file position 3526): xref not found
+WARNING: issue-99.pdf: Attempting to reconstruct cross-reference table
+operation for Dictionary object attempted on object of wrong type
diff --git a/qpdf/qtest/qpdf/issue-99.pdf b/qpdf/qtest/qpdf/issue-99.pdf
new file mode 100644
index 00000000..3f370176
--- /dev/null
+++ b/qpdf/qtest/qpdf/issue-99.pdf
diff --git a/qpdf/qtest/qpdf/issue-99b.out b/qpdf/qtest/qpdf/issue-99b.out
new file mode 100644
index 00000000..355701be
--- /dev/null
+++ b/qpdf/qtest/qpdf/issue-99b.out
@@ -0,0 +1,5 @@
+WARNING: issue-99b.pdf: file is damaged
+WARNING: issue-99b.pdf (object 1 0, file position 9): object with ID 0
+WARNING: issue-99b.pdf: Attempting to reconstruct cross-reference table
+WARNING: issue-99b.pdf: object 1 0 not found in file after regenerating cross reference table
+operation for Dictionary object attempted on object of wrong type
diff --git a/qpdf/qtest/qpdf/issue-99b.pdf b/qpdf/qtest/qpdf/issue-99b.pdf
new file mode 100644
index 00000000..fcf275f8
--- /dev/null
+++ b/qpdf/qtest/qpdf/issue-99b.pdf
@@ -0,0 +1,79 @@
+%PDF-1.3
+0 0 obj
+<<
+  /Type /Catalog
+  /Pages 2 0 R
+>>
+endobj
+
+2 0 obj
+<<
+  /Type /Pages
+  /Kids [
+    3 0 R
+  ]
+  /Count 1
+>>
+endobj
+
+3 0 obj
+<<
+  /Type /Page
+  /Parent 2 0 R
+  /MediaBox [0 0 612 792]
+  /Contents 4 0 R
+  /Resources <<
+    /ProcSet 5 0 R
+    /Font <<
+      /F1 6 0 R
+    >>
+  >>
+>>
+endobj
+
+4 0 obj
+<<
+  /Length 44
+>>
+stream
+BT
+  /F1 24 Tf
+  72 720 Td
+  (Potato) Tj
+ET
+endstream
+endobj
+
+5 0 obj
+[
+  /PDF
+  /Text
+]
+endobj
+
+6 0 obj
+<<
+  /Type /Font
+  /Subtype /Type1
+  /Name /F1
+  /BaseFont /Helvetica
+  /Encoding /WinAnsiEncoding
+>>
+endobj
+
+xref
+0 7
+0000000000 65535 f 
+0000000009 00000 n 
+0000000063 00000 n 
+0000000135 00000 n 
+0000000307 00000 n 
+0000000403 00000 n 
+0000000438 00000 n 
+trailer <<
+  /Size 7
+  /Root 1 0 R
+>>
+startxref
+556
+%%EOF