Circular reference using in (stream) object's /Length attribute can cause poppler's PDF parser to enter an infinite loop (deep recursion), leading to program crash once all stack memory is exhausted. This can happen when object's /Length attribute refers to the same object, but the loop can also contain additional intermediate objects.
Created attachment 36558 [details]
Minimal test case
One object referring to itself.
Created attachment 36559 [details]
Minimal test case with multiple objects
/Length reference loop with 3 objects.
Should be fixed in master
(In reply to comment #3)
> Should be fixed in master
In http://cgit.freedesktop.org/poppler/poppler/commit/?id=b0555189a7 and http://cgit.freedesktop.org/poppler/poppler/commit/?id=3628837feb , it seems.
Latest git version no longer crashes on the test files I have for this issue.
I wonder if it might make sense to put some arbitrary sane limit on the maximum fetchOriginatorNums set size. For the /Length loop I reported, I suppose sets with more than a few members should be uncommon.
Personally i'll avoid adding an arbitrary limit since finding a sane value is too difficult