check for cycles during indirect reference resolution (UglyToad#1097)

jan-sutter · Jan Sutter · web-flow · commit e636212ec873 · 2025-07-20T11:12:55.000-05:00
Co-authored-by: Jan Sutter &lt;jan@suttermail.de&gt;
diff --git a/src/UglyToad.PdfPig/PdfExtensions.cs b/src/UglyToad.PdfPig/PdfExtensions.cs
@@ -66,7 +66,7 @@ public static Memory<byte> Decode(this StreamToken stream, IFilterProvider filte
             {
                 var filter = filters[i];
                 totalMaxEstSize *= GetEstimatedSizeMultiplier(filter);
-                
+
                 transform = filter.Decode(transform, stream.StreamDictionary, filterProvider, i);
 
                 if (i < filters.Count - 1 && transform.Length > totalMaxEstSize)
@@ -93,9 +93,9 @@ public static Memory<byte> Decode(this StreamToken stream, ILookupFilterProvider
             {
                 var filter = filters[i];
                 totalMaxEstSize *= GetEstimatedSizeMultiplier(filter);
-                
+
                 transform = filter.Decode(transform, stream.StreamDictionary, filterProvider, i);
-                
+
                 if (i < filters.Count - 1 && transform.Length > totalMaxEstSize)
                 {
                     // Try to prevent malicious decompression, leading to OOM issues
@@ -122,25 +122,34 @@ private static double GetEstimatedSizeMultiplier(IFilter filter)
         /// Returns an equivalent token where any indirect references of child objects are
         /// recursively traversed and resolved.
         /// </summary>
-        internal static T? Resolve<T>(this T? token, IPdfTokenScanner scanner) where T : IToken
+        internal static T? Resolve<T>(this T? token, IPdfTokenScanner scanner, List<long>? visited = null) where T : IToken
         {
-            return (T?)ResolveInternal(token, scanner);
+            return (T?)ResolveInternal(token, scanner, visited ?? []);
         }
 
-        private static IToken? ResolveInternal(this IToken? token, IPdfTokenScanner scanner)
+        private static IToken? ResolveInternal(this IToken? token, IPdfTokenScanner scanner, List<long> visited)
         {
             if (token is StreamToken stream)
             {
-                return new StreamToken(Resolve(stream.StreamDictionary, scanner), stream.Data);
+                return new StreamToken(Resolve(stream.StreamDictionary, scanner, visited), stream.Data);
             }
 
             if (token is DictionaryToken dict)
             {
                 var resolvedItems = new Dictionary<NameToken, IToken>();
                 foreach (var kvp in dict.Data)
                 {
-                    var value = kvp.Value is IndirectReferenceToken reference ? scanner.Get(reference.Data)?.Data : kvp.Value;
-                    resolvedItems[NameToken.Create(kvp.Key)] = ResolveInternal(value, scanner);
+                    var value = kvp.Value;
+                    if (kvp.Value is IndirectReferenceToken reference)
+                    {
+                        if (visited.Contains(reference.Data.ObjectNumber))
+                        {
+                            continue;
+                        }
+                        value = scanner.Get(reference.Data)?.Data;
+                        visited.Add(reference.Data.ObjectNumber);
+                    }
+                    resolvedItems[NameToken.Create(kvp.Key)] = ResolveInternal(value, scanner, visited);
                 }
 
                 return new DictionaryToken(resolvedItems);
@@ -152,7 +161,7 @@ private static double GetEstimatedSizeMultiplier(IFilter filter)
                 for (int i = 0; i < arr.Length; i++)
                 {
                     var value = arr.Data[i] is IndirectReferenceToken reference ? scanner.Get(reference.Data)?.Data : arr.Data[i];
-                    resolvedItems.Add(ResolveInternal(value, scanner));
+                    resolvedItems.Add(ResolveInternal(value, scanner, visited));
                 }
                 return new ArrayToken(resolvedItems);
             }

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ public static Memory<byte> Decode(this StreamToken stream, IFilterProvider filte`
`66`	`66`	`{`
`67`	`67`	`var filter = filters[i];`
`68`	`68`	`totalMaxEstSize *= GetEstimatedSizeMultiplier(filter);`
`69`		`-`
	`69`	`+`
`70`	`70`	`transform = filter.Decode(transform, stream.StreamDictionary, filterProvider, i);`
`71`	`71`
`72`	`72`	`if (i < filters.Count - 1 && transform.Length > totalMaxEstSize)`
`@@ -93,9 +93,9 @@ public static Memory<byte> Decode(this StreamToken stream, ILookupFilterProvider`
`93`	`93`	`{`
`94`	`94`	`var filter = filters[i];`
`95`	`95`	`totalMaxEstSize *= GetEstimatedSizeMultiplier(filter);`
`96`		`-`
	`96`	`+`
`97`	`97`	`transform = filter.Decode(transform, stream.StreamDictionary, filterProvider, i);`
`98`		`-`
	`98`	`+`
`99`	`99`	`if (i < filters.Count - 1 && transform.Length > totalMaxEstSize)`
`100`	`100`	`{`
`101`	`101`	`// Try to prevent malicious decompression, leading to OOM issues`
`@@ -122,25 +122,34 @@ private static double GetEstimatedSizeMultiplier(IFilter filter)`
`122`	`122`	`/// Returns an equivalent token where any indirect references of child objects are`
`123`	`123`	`/// recursively traversed and resolved.`
`124`	`124`	`/// </summary>`
`125`		`- internal static T? Resolve<T>(this T? token, IPdfTokenScanner scanner) where T : IToken`
	`125`	`+ internal static T? Resolve<T>(this T? token, IPdfTokenScanner scanner, List<long>? visited = null) where T : IToken`
`126`	`126`	`{`
`127`		`- return (T?)ResolveInternal(token, scanner);`
	`127`	`+ return (T?)ResolveInternal(token, scanner, visited ?? []);`
`128`	`128`	`}`
`129`	`129`
`130`		`- private static IToken? ResolveInternal(this IToken? token, IPdfTokenScanner scanner)`
	`130`	`+ private static IToken? ResolveInternal(this IToken? token, IPdfTokenScanner scanner, List<long> visited)`
`131`	`131`	`{`
`132`	`132`	`if (token is StreamToken stream)`
`133`	`133`	`{`
`134`		`- return new StreamToken(Resolve(stream.StreamDictionary, scanner), stream.Data);`
	`134`	`+ return new StreamToken(Resolve(stream.StreamDictionary, scanner, visited), stream.Data);`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`if (token is DictionaryToken dict)`
`138`	`138`	`{`
`139`	`139`	`var resolvedItems = new Dictionary<NameToken, IToken>();`
`140`	`140`	`foreach (var kvp in dict.Data)`
`141`	`141`	`{`
`142`		`- var value = kvp.Value is IndirectReferenceToken reference ? scanner.Get(reference.Data)?.Data : kvp.Value;`
`143`		`- resolvedItems[NameToken.Create(kvp.Key)] = ResolveInternal(value, scanner);`
	`142`	`+ var value = kvp.Value;`
	`143`	`+ if (kvp.Value is IndirectReferenceToken reference)`
	`144`	`+ {`
	`145`	`+ if (visited.Contains(reference.Data.ObjectNumber))`
	`146`	`+ {`
	`147`	`+ continue;`
	`148`	`+ }`
	`149`	`+ value = scanner.Get(reference.Data)?.Data;`
	`150`	`+ visited.Add(reference.Data.ObjectNumber);`
	`151`	`+ }`
	`152`	`+ resolvedItems[NameToken.Create(kvp.Key)] = ResolveInternal(value, scanner, visited);`
`144`	`153`	`}`
`145`	`154`
`146`	`155`	`return new DictionaryToken(resolvedItems);`
`@@ -152,7 +161,7 @@ private static double GetEstimatedSizeMultiplier(IFilter filter)`
`152`	`161`	`for (int i = 0; i < arr.Length; i++)`
`153`	`162`	`{`
`154`	`163`	`var value = arr.Data[i] is IndirectReferenceToken reference ? scanner.Get(reference.Data)?.Data : arr.Data[i];`
`155`		`- resolvedItems.Add(ResolveInternal(value, scanner));`
	`164`	`+ resolvedItems.Add(ResolveInternal(value, scanner, visited));`
`156`	`165`	`}`
`157`	`166`	`return new ArrayToken(resolvedItems);`
`158`	`167`	`}`