I agree with the pdf spec allowing some insane stuff.
However, I think it's quite a stretch to put any blame on Adobe for this one.
In essence, Avast has implemented their own std::vec in C for the management of the magic numbers, and they implemented it quite poorly.
As mentioned in the article, the find_magicnums function supports roughly 300 (!) different magic numbers. Adobe's PDF is not required at all to exploit this bug.
However, I think it's quite a stretch to put any blame on Adobe for this one.
In essence, Avast has implemented their own std::vec in C for the management of the magic numbers, and they implemented it quite poorly.
As mentioned in the article, the find_magicnums function supports roughly 300 (!) different magic numbers. Adobe's PDF is not required at all to exploit this bug.