Skip to main content

zpdf_core/
limits.rs

1/// Security limits for PDF parsing. PDF is an untrusted input format.
2#[derive(Debug, Clone)]
3pub struct ParseLimits {
4    pub max_object_depth: u32,
5    pub max_stream_bytes: u64,
6    pub max_image_pixels: u64,
7    pub max_page_operators: u64,
8    pub max_string_length: u32,
9    /// Max number of objects a tail-scan recovery pass will index before
10    /// giving up (guards against pathological/adversarial inputs).
11    pub max_objects: u32,
12}
13
14impl Default for ParseLimits {
15    fn default() -> Self {
16        Self {
17            max_object_depth: 100,
18            max_stream_bytes: 256 * 1024 * 1024,
19            max_image_pixels: 100_000_000,
20            max_page_operators: 1_000_000,
21            // ISO 32000 imposes no string length limit (64 KiB is only the
22            // PDF/A-1 / legacy-Acrobat bound), so real files exceed it. This
23            // is purely an allocation guard against adversarial input.
24            max_string_length: 16 * 1024 * 1024,
25            max_objects: 5_000_000,
26        }
27    }
28}