adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files
adawolfa/isdoc reads ISDOC invoices from ISDOCX (ZIP) archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes: ISDOCX decompression bomb — getFromName() inflates the ISDOC document and binary supplements with no size cap. saveTo() disk-fill — the supplement copy loop writes inflated bytes to disk with …