![[@pdfme/pdf-lib] PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS](/assets/images/github_com_1774224311643.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[@pdfme/pdf-lib] PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
By GitHub2026๋
3์ 21์ผ
**[@pdfme/pdf-lib] PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS**
Summary The DecodeStream.ensureBuffer() method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio (decompression bomb) causes unbounded memory allocation during stream decoding, leading to memory exhaustion and denial of service in both server-side (generator) and client-side (UI) contexts. Details The vulnerability exists in the DecodeStream class, which is the base class for all stream decoders including FlateStream (DEFLATE/zlib decompression). Unbounded buffer growth in ensureBuffer() โ packages/pdf-lib/src/core/streams/DecodeStream.ts:148-160: protected ensureBuffer(requested: number) { const buffer = this.buffer; if (requested <= buffer.byteLength) { return buffer; } let size = this.minBufferLength; while (size < requested) { size *= 2; // Doubles with no upper bound } const buffer2 = new Uint8Array(size); // Allocates without limit buffer2.set(buffer); return (this.buffer = buffer2); } The size *= 2 loop has no maximum size check. The buffer will continue doubling until the process runs out of memory...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary The DecodeStream.ensureBuffer() method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio (decompression bomb) causes unbounded memory allocation during stream decoding, leading to memory exhaustion and denial of service in both server-side (generator) and client-side (UI) contexts. Details The vulnerability exists in the DecodeStream class, which is the base class for all stream decoders including FlateStream (DEFLATE/zlib decompression). Unbounded buffer growth in ensureBuffer() โ packages/pdf-lib/src/core/streams/DecodeStream.ts:148-160: protected ensureBuffer(requested: number) { const buffer = this.buffer; if (requested <= buffer.byteLength) { return buffer; } let size = this.minBufferLength; while (size < requested) { size *= 2; // Doubles with no upper bound } const buffer2 = new Uint8Array(size); // Allocates without limit buffer2.set(buffer); return (this.buffer = buffer2); } The size *= 2 loop has no maximum size check. The buffer will continue doubling until the process runs out of memory...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.