File CVE-2026-31826.patch of Package python-PyPDF2
Index: pypdf-2.11.1/PyPDF2/filters.py
===================================================================
--- pypdf-2.11.1.orig/PyPDF2/filters.py
+++ pypdf-2.11.1/PyPDF2/filters.py
@@ -62,6 +62,7 @@ from .constants import StreamAttributes
from .errors import LimitReachedError, PdfReadError, PdfStreamError
ZLIB_MAX_RECOVERY_INPUT_LENGTH = 5_000_000
+MAX_DECLARED_STREAM_LENGTH = 75_000_000
# Reuse cached 1-byte values in the fallback loop to avoid per-byte allocations.
_SINGLE_BYTES = tuple(bytes((i,)) for i in range(256))
Index: pypdf-2.11.1/PyPDF2/generic/_data_structures.py
===================================================================
--- pypdf-2.11.1.orig/PyPDF2/generic/_data_structures.py
+++ pypdf-2.11.1/PyPDF2/generic/_data_structures.py
@@ -54,7 +54,7 @@ from ..constants import OutlineFontFlag
from ..constants import StreamAttributes as SA
from ..constants import TypArguments as TA
from ..constants import TypFitArguments as TF
-from ..errors import STREAM_TRUNCATED_PREMATURELY, PdfReadError, PdfStreamError
+from ..errors import STREAM_TRUNCATED_PREMATURELY, LimitReachedError, PdfReadError, PdfStreamError
from ._base import (
BooleanObject,
FloatObject,
@@ -310,7 +310,16 @@ class DictionaryObject(dict, PdfObject):
length = pdf.get_object(length)
stream.seek(t, 0)
pstart = stream.tell()
- data["__streamdata__"] = stream.read(length)
+ if length >= 0:
+ from ..filters import MAX_DECLARED_STREAM_LENGTH # noqa: PLC0415
+ if length > MAX_DECLARED_STREAM_LENGTH:
+ raise LimitReachedError(f"Declared stream length of {length} exceeds maximum allowed length.")
+
+ data["__streamdata__"] = stream.read(length)
+ else:
+ data["__streamdata__"] = read_until_regex(
+ stream, re.compile(b"endstream")
+ )
e = read_non_whitespace(stream)
ndstream = stream.read(8)
if (e + ndstream) != b"endstream":
