Identified on v6.2.4
Opening certain malformed PDFs can cause a stack overflow due to unbounded recursion in page tree traversal (PdfPages.GetKids(...)).
Excerpt of log here
stackoverflow_get_kids.txt
Impact
Unhandled StackOverflowException terminates the process
Denial-of-service risk when processing untrusted PDFs
Affects PdfReader.Open(...) in Modify and Import modes
Reproduction
// https://allow.menlotest.com/safedocs/research/PDF101/01-testsuite/01-dos/01-infinite-loop/A-dict-array-loops/A3-pages-tree-loop-simple.pdf
var data = File.ReadAllBytes("A3-pages-tree-loop-simple.pdf");
using var mem = new MemoryStream(data);
using var pdfDoc = PdfReader.Open(mem, PdfDocumentOpenMode.Modify);
// Triggers page tree traversal
_ = pdfDoc.PageCount;
Current Behavior
Recursive traversal of /Kids without safeguards
Infinite recursion on cyclic references
Process terminates with StackOverflowException
Expected Behavior
Detect malformed page tree
Throw a managed exception (e.g., InvalidOperationException)
No process crash
Root Cause
PdfPages.GetKids(...) recursively traverses /Kids without:
cycle detection
recursion depth limits
strict validation of /Kids entries
A cyclic reference in the page tree results in infinite recursion.
Fix
Add safeguards to page tree traversal:
Track visited PdfReference instances
Enforce maximum recursion depth
Validate /Kids entries and /Type
Replace Debug.Assert with runtime exceptions
Validation
After applying these safeguards, malformed PDFs that previously caused a stack overflow now throw a normal managed exception (e.g., InvalidOperationException with message indicating cyclic page tree).
Identified on v6.2.4
Opening certain malformed PDFs can cause a stack overflow due to unbounded recursion in page tree traversal (PdfPages.GetKids(...)).
Excerpt of log here
stackoverflow_get_kids.txt
Impact
Unhandled StackOverflowException terminates the process
Denial-of-service risk when processing untrusted PDFs
Affects PdfReader.Open(...) in Modify and Import modes
Reproduction
// https://allow.menlotest.com/safedocs/research/PDF101/01-testsuite/01-dos/01-infinite-loop/A-dict-array-loops/A3-pages-tree-loop-simple.pdf
var data = File.ReadAllBytes("A3-pages-tree-loop-simple.pdf");
using var mem = new MemoryStream(data);
using var pdfDoc = PdfReader.Open(mem, PdfDocumentOpenMode.Modify);
// Triggers page tree traversal
_ = pdfDoc.PageCount;
Current Behavior
Recursive traversal of /Kids without safeguards
Infinite recursion on cyclic references
Process terminates with StackOverflowException
Expected Behavior
Detect malformed page tree
Throw a managed exception (e.g., InvalidOperationException)
No process crash
Root Cause
PdfPages.GetKids(...) recursively traverses /Kids without:
cycle detection
recursion depth limits
strict validation of /Kids entries
A cyclic reference in the page tree results in infinite recursion.
Fix
Add safeguards to page tree traversal:
Track visited PdfReference instances
Enforce maximum recursion depth
Validate /Kids entries and /Type
Replace Debug.Assert with runtime exceptions
Validation
After applying these safeguards, malformed PDFs that previously caused a stack overflow now throw a normal managed exception (e.g., InvalidOperationException with message indicating cyclic page tree).