If you discover a security vulnerability in the XFA PDF SDK, please report it responsibly.

Email: security@xfa.dev

Do NOT open a public GitHub issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce (ideally with a minimal PDF file)
• Impact assessment (what an attacker could achieve)
• Affected crate(s) and version(s)

• MAX_OBJECTS: 500,000 indirect objects per PDF (prevents combinatorial explosion)
• MAX_PAGES: 50,000 pages per document
• Flate decompression cap: 100 MB per stream (prevents zip bombs)
• RLIMIT_AS: 8 GB virtual memory cap per process in corpus runner
• Stream length validation: Declared vs actual byte count verification
• Xref rebuild: Automatic recovery from corrupt cross-reference tables

17 fuzz targets covering all input-facing APIs:

• fuzz_pdf_parser — PDF parsing and xref resolution
• fuzz_content_stream — Content stream operator parsing
• fuzz_xref — Cross-reference table parsing
• fuzz_filters — Flate/LZW/ASCII85/RunLength decompression
• fuzz_data_dom — XFA data DOM construction
• fuzz_formcalc — FormCalc expression evaluation
• fuzz_som_path — SOM path resolution
• fuzz_content_editor — Content stream editing
• fuzz_text_replace — Text replacement in content streams
• fuzz_redact — Text and area redaction
• fuzz_pdfa_convert — PDF/A conversion pipeline
• fuzz_lopdf_roundtrip — lopdf load/save roundtrip
• fuzz_form_fill — AcroForm field writing
• fuzz_annot_create — Annotation creation
• fuzz_sign — Digital signature creation
• fuzz_xfa_template — XFA template parsing

Fuzzing runs nightly in CI (300 seconds per target) and on every PR (smoke test, 60 seconds).

• cargo-audit runs in CI to detect known vulnerabilities in dependencies
• Minimal dependency tree — pure Rust implementations preferred over C bindings
• No OpenSSL dependency — TLS via rustls

• Zero unsafe in application crates (only in FFI boundary crates: pdf-capi, pdf-java, pdf-ocr)
• Core library crates (pdf-engine, pdf-compliance, pdf-manip): 9 unsafe blocks total, all for performance-critical byte operations with safety comments
• #[deny(unsafe_code)] on pure-logic crates (formcalc-interpreter, xfa-layout-engine, xfa-license)

The XFA PDF SDK processes untrusted PDF input. The security boundary is:

• Trusted: SDK API callers, configuration, font directories
• Untrusted: PDF file contents, embedded fonts, JavaScript/FormCalc in XFA, XMP metadata, embedded file attachments

The SDK must never:

• Execute arbitrary code from PDF content
• Access files outside explicitly configured directories
• Leak memory contents between unrelated documents
• Enter infinite loops on crafted input
• Consume unbounded memory on crafted input