pypdf FlateDecode Parameter Manipulation Leading to Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the pypdf library, specifically in versions prior to 6.10.2. The issue arises when a PDF is crafted to exploit the FlateDecode compression filter, particularly by using a Predictor value other than 1 and large predictor parameters. This manipulation can exhaust the system's RAM, leading to potential performance degradation or application failure.

Impact

Exploitation of this vulnerability can cause excessive memory consumption, leading to a denial-of-service condition where the application or system becomes unresponsive or fails to function properly.

Reproduction

To reproduce this vulnerability, create a PDF file that includes a stream compressed with the FlateDecode filter. Set the Predictor parameter to a value other than 1 and use large values for the predictor parameters. When this PDF is processed by pypdf versions prior to 6.10.2, the library will exhaust available RAM, causing a denial-of-service condition.

Remediation

Users can upgrade to pypdf version 6.10.2 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, the changes from the patch available in pull request #3734 can be applied manually.