Segfault (null deref) in parse_rsrcdict

Observed on file 03359c61f584b05222a45e084c8c9d6ff7c86fc07959c639de7ca740b0543f68 from the evalThree corpus.

pompolic wrote in !25 (merged):

The segfault is seemingly nondeterministic, but I managed to capture this backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00005555555658ac in parse_rsrcdict (arena=0x5555a3624690, dict_t=0x0, pgNode=0x555555f26c78, aux=0x7fffffffde30) at pdf.c:4245
4245            if ( (dict_t->token_type == TT_Dict) || (dict_t->token_type == TT_Objstm) ) {
(gdb) bt
#0  0x00005555555658ac in parse_rsrcdict (arena=0x5555a3624690, dict_t=0x0, pgNode=0x555555f26c78, aux=0x7fffffffde30) at pdf.c:4245
#1  0x0000555555566300 in parse_pagenode (aux=0x7fffffffde30, myNode=0x555555f26c78, myRef=0x555555b2c638, myDict=0x5555af2f2678, parent_t=0x55555580c1b0, parent_n=0x7fffffffde80,
    arena=0x555555691050) at pdf.c:4404
#2  0x000055555556722d in parse_pagetree (aux=0x7fffffffde30, myNode=0x7fffffffde80, myRef=0x55555580c1b0, myDict=0x5555558d3c80, parent_t=0x0, parent_n=0x0) at pdf.c:4678
#3  0x00005555555674ae in parse_catalog (aux=0x7fffffffde30, root=0x5555555f8ab0) at pdf.c:4752
#4  0x0000555555568d5b in parse_xrefs (aux=0x7fffffffde30) at pdf.c:5366
#5  0x0000555555569139 in main (argc=1, argv=0x7fffffffe0c0) at pdf.c:5503

dict_t is returned by resolve() in parse_pagenode(), and is assumed to not be NULL by parse_rsrcdict(). I think probably due to being run under ulimit, resolve() happens to return NULL. The reference it was trying to resolve:

(gdb) print *(Ref*)item->user
$8 = {nr = 951, gen = 0}