Xpdf Security Bug: object loops

PDF files can contain 'object loops', where one PDF object points back to itself, or a sequence of PDF objects point to each other in a longer loop.

Xpdf catches many of those loops, but currently doesn't catch all of them. The result is an infinite loop in Xpdf, ending with a stack overflow.

We're planning a more robust loop detector for Xpdf 5.

Known loops, with references to the Xpdf functions that end up in infinite loops:

• XRef::readXRef - fixed in 4.01

  • CVE-2018-7174

• Parser::makeStream / Object::fetch - fixed in 4.02

  • CVE-2019-13288

• Catalog::countPageTree - fixed in 4.05

  • CVE-2019-9587
  • CVE-2019-9588
  • CVE-2019-16088
  • CVE-2022-33108
  • CVE-2022-38334
  • CVE-2022-41842
  • CVE-2022-43295
  • CVE-2022-45586
  • CVE-2022-45587

• AcroForm::scanField - fixed in 4.05

  • CVE-2018-7453
  • CVE-2018-16369
  • CVE-2022-36561
  • CVE-2022-41844

• Catalog::readPageLabelTree2 - fixed in 4.05

  • CVE-2022-43071
  • CVE-2023-2663

• Catalog::readEmbeddedFileTree - fixed in 4.05

  • CVE-2023-2664

• object streams - will be fixed in 4.06

  • CVE-2024-3247

• Catalog::readFileAttachmentAnnots - will be fixed in 4.06

  • CVE-2024-3248

• PSOutputDev::setupResources - will be fixed in 4.06

  • CVE-2024-4568

• Gfx::drawForm - will be fixed in 4.06

  • CVE-2024-7866