podofo: infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject (PdfPage.cpp)

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered an infinite loop. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.

The complete ASan output:

# podofopdfinfo $FILE
==8407==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcff058fe0 (pc 0x000000425a5f bp 0x6400000003f0 sp 0x7ffcff058fe0 T0)
    #0 0x425a5e in GenericScopedLock /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_mutex.h:179
    #1 0x425a5e in __sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>::PopulateFreeList(__sanitizer::AllocatorStats*, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, __sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>::RegionInfo*) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:540
    #2 0x426297 in __sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>::AllocateBatch(__sanitizer::AllocatorStats*, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:359
    #3 0x4262f6 in __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >::Refill(__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1003
    #4 0x4298ed in __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:952
    #5 0x4298ed in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1324
    #6 0x4298ed in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x50e8b8 in operator new(unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
    #8 0x7f2e77512621 in PoDoFo::PdfVariant::PdfVariant(PoDoFo::PdfDictionary const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVariant.cpp:151:20
    #9 0x7f2e77495f6d in PoDoFo::PdfObject::PdfObject(PoDoFo::PdfReference const&, char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfObject.cpp:62:7
    #10 0x7f2e7751dcf8 in PoDoFo::PdfVecObjects::GetObject(PoDoFo::PdfReference const&) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVecObjects.cpp:151:15
    #11 0x7f2e7749afe1 in PoDoFo::PdfObject::GetIndirectKey(PoDoFo::PdfName const&) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfObject.cpp:237:30
    #12 0x7f2e77741533 in PoDoFo::PdfPage::GetInheritedKeyFromObject(char const*, PoDoFo::PdfObject const*) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfPage.cpp:230:26
    #13 0x7f2e777415a4 in PoDoFo::PdfPage::GetInheritedKeyFromObject(char const*, PoDoFo::PdfObject const*) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfPage.cpp:232:20
    [.....]
    #254 0x7f2e777415a4 in PoDoFo::PdfPage::GetInheritedKeyFromObject(char const*, PoDoFo::PdfObject const*) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfPage.cpp:232:20

SUMMARY: AddressSanitizer: stack-overflow /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_mutex.h:179 in GenericScopedLock
==8407==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5852

Reproducer:
https://github.com/asarubbo/poc/blob/master/00145-podofo-infiniteloop-PdfPage

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue
2017-02-02: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp