pypdf Memory Exhaustion Vulnerability in FlateDecode Filter

A denial-of-service vulnerability has been identified in the pypdf library, specifically in versions prior to 6.10.2. The issue arises when an image is processed using the FlateDecode filter with large size values, leading to excessive memory consumption. This vulnerability can be exploited by crafting a PDF that takes advantage of the FlateDecode parameters, causing the application to run out of available RAM.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application exhausts its available memory, potentially causing it to crash or become unresponsive.

Reproduction

To reproduce this vulnerability, create a PDF file that includes an image using the FlateDecode filter. Set the image dimensions to values that are large enough to cause significant memory usage during decompression. When the PDF is processed with a version of pypdf prior to 6.10.2, the library will not impose the necessary limits, allowing the crafted PDF to exhaust the available RAM.

Remediation

Users can upgrade to pypdf version 6.10.2 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, the changes from the patch available in pull request #3734 can be applied manually.