itext
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/exceptions/KernelExceptionMessageConstant.java
Lines changed: 4 additions & 0 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/exceptions/KernelExceptionMessageConstant.java
Lines changed: 4 additions & 0 deletions
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/exceptions/XrefCycledReferencesException.java
Lines changed: 38 additions & 0 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/exceptions/XrefCycledReferencesException.java
Lines changed: 38 additions & 0 deletions
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfReader.java
Lines changed: 39 additions & 9 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfReader.java
Lines changed: 39 additions & 9 deletions
@@ -328,7 +328,11 @@ public final class KernelExceptionMessageConstant {
     public static final String WMF_IMAGE_EXCEPTION = "WMF image exception.";
     public static final String WRONG_MEDIA_BOX_SIZE_TOO_FEW_ARGUMENTS = "Wrong media box size: {0}. Need at least 4 "
             + "arguments";
+    public static final String XREF_TABLE_HAS_CYCLED_REFERENCES =
+            "Xref table has cycled references. Prev pointer indicates an already visited xref table.";
     public static final String XREF_SUBSECTION_NOT_FOUND = "xref subsection not found.";
+    public static final String XREF_STREAM_HAS_CYCLED_REFERENCES =
+            "Xref stream has cycled references. Prev pointer indicates an already visited xref stream.";
     public static final String YOU_HAVE_TO_DEFINE_A_BOOLEAN_ARRAY_FOR_THIS_COLLECTION_SORT_DICTIONARY = "You have to "
             + "define a boolean array for this collection sort dictionary.";
     public static final String YOU_MUST_SET_A_VALUE_BEFORE_ADDING_A_PREFIX = "You must set a value before adding a "
 
@@ -0,0 +1,38 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2022 iText Group NV
+    Authors: iText Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.kernel.exceptions;
+
+/**
+ * Exception class for infinite loop in xref structure.
+ */
+public class XrefCycledReferencesException extends PdfException {
+
+    /**
+     * Creates a new instance of XrefInfiniteLoopException.
+     *
+     * @param message the detail message.
+     */
+    public XrefCycledReferencesException(String message) {
+        super(message);
+    }
+}
@@ -55,6 +55,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.exceptions.PdfException;
 import com.itextpdf.kernel.crypto.securityhandler.UnsupportedSecurityHandlerException;
 import com.itextpdf.kernel.exceptions.KernelExceptionMessageConstant;
+import com.itextpdf.kernel.exceptions.XrefCycledReferencesException;
 import com.itextpdf.kernel.pdf.filters.FilterHandlers;
 import com.itextpdf.kernel.pdf.filters.IFilterHandler;
 
@@ -63,10 +64,13 @@ This file is part of the iText (R) project.
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.HashSet;
 import java.util.Map;
 
 import com.itextpdf.kernel.xmp.XMPException;
 import com.itextpdf.kernel.xmp.XMPMetaFactory;
+
+import java.util.Set;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -724,6 +728,10 @@ protected void readPdf() throws IOException {
         }
         try {
             readXref();
+        } catch (XrefCycledReferencesException ex) {
+            // Throws an exception when xref stream has cycled references(due to lack of opportunity to fix such an
+            // issue) or xref tables have cycled references and PdfReader.StrictnessLevel set to CONSERVATIVE.
+            throw ex;
         } catch (RuntimeException ex) {
             Logger logger = LoggerFactory.getLogger(PdfReader.class);
             logger.error(IoLogMessageConstant.XREF_ERROR_WHILE_READING_TABLE_WILL_BE_REBUILT, ex);
@@ -961,11 +969,13 @@ protected PdfArray readArray(boolean objStm) throws IOException {
     protected void readXref() throws IOException {
         tokens.seek(tokens.getStartxref());
         tokens.nextToken();
-        if (!tokens.tokenValueEqualsTo(PdfTokenizer.Startxref))
+        if (!tokens.tokenValueEqualsTo(PdfTokenizer.Startxref)) {
             throw new PdfException(KernelExceptionMessageConstant.PDF_STARTXREF_NOT_FOUND, tokens);
+        }
         tokens.nextToken();
-        if (tokens.getTokenType() != PdfTokenizer.TokenType.Number)
+        if (tokens.getTokenType() != PdfTokenizer.TokenType.Number) {
             throw new PdfException(KernelExceptionMessageConstant.PDF_STARTXREF_IS_NOT_FOLLOWED_BY_A_NUMBER, tokens);
+        }
         long startxref = tokens.getLongValue();
         lastXref = startxref;
         eofPos = tokens.getPosition();
@@ -974,27 +984,41 @@ protected void readXref() throws IOException {
                 xrefStm = true;
                 return;
             }
+        } catch (XrefCycledReferencesException cycledReferencesException) {
+            throw cycledReferencesException;
         } catch (Exception ignored) {
+            // Do nothing.
         }
         // clear xref because of possible issues at reading xref stream.
         pdfDocument.getXref().clear();
 
         tokens.seek(startxref);
         trailer = readXrefSection();
 
-        //  Prev key - integer value
-        //  (Present only if the file has more than one cross-reference section; shall be an indirect reference)
+        //  Prev key - integer value.
+        //  (Present only if the file has more than one cross-reference section; shall be an indirect reference).
         // The byte offset in the decoded stream from the beginning of the file
         // to the beginning of the previous cross-reference section.
         PdfDictionary trailer2 = trailer;
+        final Set<Long> alreadyVisitedXrefTables = new HashSet<>();
         while (true) {
+            alreadyVisitedXrefTables.add(startxref);
             PdfNumber prev = (PdfNumber) trailer2.get(PdfName.Prev);
-            if (prev == null)
+            if (prev == null) {
                 break;
-            if (prev.longValue() == startxref)
-                throw new PdfException(KernelExceptionMessageConstant.
-                        TRAILER_PREV_ENTRY_POINTS_TO_ITS_OWN_CROSS_REFERENCE_SECTION);
-            startxref = prev.longValue();
+            }
+            long prevXrefOffset = prev.longValue();
+            if (alreadyVisitedXrefTables.contains(prevXrefOffset)) {
+                if (StrictnessLevel.CONSERVATIVE.isStricter(this.getStrictnessLevel())) {
+                    // Throw the exception to rebuild xref table, it'll be caught in method above.
+                    throw new PdfException(KernelExceptionMessageConstant.
+                            TRAILER_PREV_ENTRY_POINTS_TO_ITS_OWN_CROSS_REFERENCE_SECTION);
+                } else {
+                    throw new XrefCycledReferencesException(
+                            KernelExceptionMessageConstant.XREF_TABLE_HAS_CYCLED_REFERENCES);
+                }
+            }
+            startxref = prevXrefOffset;
             tokens.seek(startxref);
             trailer2 = readXrefSection();
         }
@@ -1098,6 +1122,7 @@ protected PdfDictionary readXrefSection() throws IOException {
     }
 
     protected boolean readXrefStream(long ptr) throws IOException {
+        final Set<Long> alreadyVisitedXrefStreams = new HashSet<>();
         while (ptr != -1) {
             tokens.seek(ptr);
             if (!tokens.nextToken()) {
@@ -1112,6 +1137,7 @@ protected boolean readXrefStream(long ptr) throws IOException {
             if (!tokens.nextToken() || !tokens.tokenValueEqualsTo(PdfTokenizer.Obj)) {
                 return false;
             }
+            alreadyVisitedXrefStreams.add(ptr);
             PdfXrefTable xref = pdfDocument.getXref();
             PdfObject object = readObject(false);
             PdfStream xrefStream;
@@ -1208,6 +1234,10 @@ protected boolean readXrefStream(long ptr) throws IOException {
                 }
             }
             ptr = prev;
+            if (alreadyVisitedXrefStreams.contains(ptr)) {
+                throw new XrefCycledReferencesException(
+                        KernelExceptionMessageConstant.XREF_STREAM_HAS_CYCLED_REFERENCES);
+            }
         }
         return true;
     }