pypdf Infinite Loop Vulnerability in DCT-Encoded Inline Images

A vulnerability in pypdf, a pure-Python PDF library, prior to version 6.1.3, allows an attacker to create a PDF that causes an infinite loop. This issue arises when the content stream of a page with an inline image using the DCTDecode filter is parsed. The vulnerability has been addressed in pypdf version 6.1.3.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing a denial-of-service condition by hanging the process that is parsing the PDF.

Reproduction

The vulnerability can be reproduced by creating a PDF file that includes an inline image compressed with the DCTDecode filter, and then parsing the PDF with a version of pypdf prior to 6.1.3. The crafted PDF will cause the pypdf library to enter an infinite loop while processing the image, effectively freezing the operation.

Remediation

Users can upgrade to pypdf version 6.1.3 or later to address this vulnerability. If an immediate upgrade is not possible, the changes from PR #3501 can be applied as a workaround.