PDF::Reader::ObjectHash.get_page_objects: undefined method `[]' for nil:NilClass

This error is by far the most frequently encountered error during fuzzing.

crashes/20220417055748989526710_crash_497.pdf.trace-1-undefined method `[]' for nil:NilClass
crashes/20220417055748989526710_crash_497.pdf.trace:2:/var/lib/gems/2.7.0/gems/pdf-reader-2.9.2/lib/pdf/reader/object_hash.rb:576:in `get_page_objects'

20220417055748989526710_crash_497.pdf

I have not investigated the root cause. I have no idea how realistic this issue is outside of fuzzing. However, fixing this issue would significantly reduce the fuzzer output. This would speed up fuzzing and save disk space by not having to write the crash file and output to disk.

The surrounding code raises MalformedPDFError but these code paths are frequently missed.

pdf-reader/lib/pdf/reader/object_hash.rb

Lines 570 to 588 in 21d0d21

    
           # returns an array of object references for all pages in this object store. The ordering of 
        
           # the Array is significant and matches the page ordering of the document 
        
           # 
        
           def get_page_objects(obj) 
        
             derefed_obj = deref_hash(obj) 
        
             if derefed_obj.nil? 
        
               raise MalformedPDFError, "Expected Page or Pages object, got nil" 
        
             elsif derefed_obj[:Type] == :Page 
        
               [obj] 
        
             elsif derefed_obj[:Kids] 
        
               kids = deref_array(derefed_obj[:Kids]) || [] 
        
               kids.map { |kid| 
        
                 get_page_objects(kid) 
        
               }.flatten 
        
             else 
        
               raise MalformedPDFError, "Expected Page or Pages object" 
        
             end 
        
           end

woah, spooky. This was just converted to a MalformedPDFError by #457

If you can confirm #457 fixes the crash for you in fuzzing, I'll close this issue.

If you can confirm #457 fixes the crash for you in fuzzing, I'll close this issue.

Re-running the fuzzer now. This issue appears to have been resolved.

user@ubuntu:~/Desktop/pdf-reader$ grep get_page_objects crashes/*.trace | wc -l
0

There would usually have been hundreds or thousands of these crashes by now.

user@ubuntu:~/Desktop/pdf-reader$ grep get_page_objects crashes.1/*.trace | wc -l
4140
user@ubuntu:~/Desktop/pdf-reader$ grep get_page_objects crashes.2/*.trace | wc -l
19736

	# returns an array of object references for all pages in this object store. The ordering of
	# the Array is significant and matches the page ordering of the document
	#
	def get_page_objects(obj)
	derefed_obj = deref_hash(obj)

	if derefed_obj.nil?
	raise MalformedPDFError, "Expected Page or Pages object, got nil"
	elsif derefed_obj[:Type] == :Page
	[obj]
	elsif derefed_obj[:Kids]
	kids = deref_array(derefed_obj[:Kids]) \|\| []
	kids.map { \|kid\|
	get_page_objects(kid)
	}.flatten
	else
	raise MalformedPDFError, "Expected Page or Pages object"
	end
	end