## Summary
pdfunite util in poppler-0.55.0 will crash when parsing a crafted pdf file due to null pointer deference in main()@~/utils/pdfunite.cc:357


## Reprocude
openstack@openstack-virtual-machine:~/pjq/poppler-0.55.0/build-gcc/utils$ ./pdfunite null_pointer_deference_poc.pdf 1.pdf
Syntax Error (224): Dictionary key must be a name object
Syntax Error (226): Dictionary key must be a name object
Syntax Error (230): Dictionary key must be a name object
Syntax Error (232): Dictionary key must be a name object
Syntax Error (241): Dictionary key must be a name object
Syntax Error: Kid object (page 1) is wrong type (stream)
Segmentation fault


## Crash Stack
Program received signal SIGSEGV, Segmentation fault.
main (argc=3, argv=<optimized out>) at ../../poppler/Page.h:156
156       GBool isCropped() { return attrs->isCropped(); }
(gdb) bt
#0  main (argc=3, argv=<optimized out>) at ../../poppler/Page.h:156


## Analysis
in ~/utils/pdfunite.cc:357
354   for (i = 0; i < (int) docs.size(); i++) {
355     for (j = 1; j <= docs[i]->getNumPages(); j++) {
356       PDFRectangle *cropBox = NULL;
357       if (docs[i]->getCatalog()->getPage(j)->isCropped())

Here, the value of "docs[i]->getCatalog()->getPage(j)" is zero, then isCropped() will deference a null pointer, which causes crash.


in ~/poppler/Catalog.cc:243
 235 Page *Catalog::getPage(int i)
 236 {
 237   if (i < 1) return NULL;
 238 
 239   catalogLocker();
 240   if (i > lastCachedPage) {
 241      GBool cached = cachePageTree(i);
 242      if ( cached == gFalse) {
 243        return NULL;
 244      }
 245   }
 246   return pages[i-1];
 247 }
Here, Catalog.cc:getPage() will return NULL in line 243, which causes the address to deference above to be zero.


## Patch
In ~/utils/pdfunite.cc:357, before calling isCropped(), first check the return value of getPage(j) is zero or not.


## Author
name: Jiaqi Peng
email: pjqruc@gmail.com (if you need poc, contact me via email)