Malicious TypeSpec loop causes dnSpy to completely hang and crash

[Washi1337]

Version: dnSpy 6.1.1 (net472 32-bit, net472 64-bit, netcore 32-bit, netcore 64-bit)
OS: Windows 10 64-bit

How to reproduce:
Add the following method to a class.

private static Type MaliciousTypeSpecLoop()
{
	return typeof(Program[]);
}

This adds a row in the TypeSpec table that refers to an ELEMENT_TYPE_SZARRAY signature. This signature has an ELEMENT_TYPE_CLASS, followed by a coded index referring back to the Program class. If we change this coded index (using e.g. a hex editor) to the coded index referring to the same TypeSpec that we came from, we create an infinite type signature loop. The application still runs fine, as the malicious method is never JIT'ed. Opening the enclosing class in dnSpy, however, completely bricks the application and crashes eventually. It seems dnSpy or perhaps dnlib doesn't take this into account.

Attached is a zip archive with the original executable and maliciously modified app.
TypeSpecLoopSample.zip

Additional information:
It seems referencing a TypeSpec row is illegal in a TypeDefOrRef signature.

peverify deems this kind of signature illegal:

D:\Washi\Desktop>peverify HelloWorld.MaliciousTypeSpecLoop.exe
Microsoft (R) .NET Framework PE Verifier.  Version  4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

[MD]: Error: Signature has token following ELEMENT_TYPE_CLASS (_VALUETYPE) that is not a TypeDef or TypeRef (token: 0x1b000001; offset: 0x00000003). [token:0x1B000001]
1 Error(s) Verifying HelloWorld.MaliciousTypeSpecLoop.exe   

ILSpy (and thus System.Reflection.Metadata) state that this is also illegal:

// MaliciousClass
using System;

public static Type MaliciousReturnType()
{
	//Discarded unreachable code: IL_0005
	/*Error: Specified handle is not a TypeDefinitionHandle or TypeRefererenceHandle.*/;
}

I am unsure whether this is also the behaviour that the CLR / CoreCLR has.

[0xd4d]

Moved it to dnlib