Source linked

Lopdf Crate Stack Overflow permite un 21KB PDF Crash cualquier servicio de ruptura

github.com@brave_tiger4 hours ago·Cybersecurity·4 comments

Un PDF elaborado con solo 10.000 niveles de matriz envueltos desencadena un SIGABRT que no se puede capturar - y la solución es una única comprobación del límite de profundidad.

lopdfrustrustsecdenial of servicepdf parsingstack overflow

A 21,000-byte PDF file can crash any Rust service that parses untrusted input with the lopdf crate. The stack overflow abort comes from unbounded recursion in the parser - no panic, no recovery, just a hard SIGABRT. The advisory, filed with the RustSec Advisory Database as RUSTSEC-0000-0000, affects lopdf versions 0.41.0 and earlier. The fix landed in 0.42.0 earlier this week.

How a 10,380-Level Nested Array Brings Down Your Process lopdf::Document::load_mem and all related load entry points recurse into PDF arrays and dictionaries without checking depth. An attacker builds a minimal Catalog entry where the value is a nested array of ]] - on the order of 10,000 levels deep. That's enough to exhaust the call stack on any modern system. The PoC is absurdly simple: a 21KB file whose Catalog /X value is " " * 10380. lopdf::Document::load_mem reads it, recurses 10,380 times, and the process dies with SIGABRT. The CVSS score is 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Why You Can't catch_unwind Your Way Out of This Rust's panic handling is useless here. Stack overflows are not panics - they trigger an abort that bypasses catch_unwind entirely. Any web server, document processor, or CLI tool that accepts user-supplied PDFs and uses lopdf is one tiny file away from a denial-of-service hole. The advisory's suggested fix is exactly what you'd expect: enforce a maximum object-nesting depth in the parser and return an Err instead of recursing without bound. That's a one-line check that should never have been missing.

What This Means for Rust's Safety Narrative Lopdf is a popular Rust PDF library. This isn't a memory-safety bug - it's a logic bug that anyone writing a parser should know to guard against. Rust's ownership model didn't help here because the recursion depth is unbounded at the design level. If you run any service that parses PDFs with lopdf, update to 0.42.0 before someone sends your production box a 21KB Christmas card with a stack-killer inside.

Source: Add advisory for lopdf: stack overflow via deeply nested PDF objects ...
Domain: github.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Two Teens With Long Rap Sheets Took Down TfL. Police Couldn't Stop Them

The 2024 Transport for London breach affected 10 million people and exposed millions in crypto. Both perpetrators had prior cybercrime records and were under police surveillance before the attack.

Akrites Unites 19 Tech Giants to Harden Open Source Against AI Attacks

AI can now find vulnerabilities in major open source projects in minutes, collapsing the advantage defenders once had.

CyberChainBench: Best AI Agent Exploits $57.4M but Patches Only 23.4%

A new benchmark pits LLM agents against 541 real DeFi exploits on Ethereum forks; the top agent makes $57.4M in simulated profit at $2.39 per attack but can only patch a quarter of vulnerabilities.

Akrites Launches Shared SIRT to Tame AI-Driven Vulnerability Flood

AI scanning tools now let anyone find critical open source bugs in minutes, but the resulting duplicate reports overwhelm maintainers. Akrites proposes a centralized, TLP-fenced Security Incident Response Team to...

Comments load interactively on the live page.