Fix integer overflow in tilingPatternFill (CVE-2026-10118)

Resolves: RHEL-180579
This commit is contained in:
Marek Kasik 2026-06-26 15:02:43 +02:00
parent 58ed9ca440
commit 0aa81a8021
2 changed files with 46 additions and 1 deletions

View File

@ -0,0 +1,38 @@
From 678bed7fc23bc14eb5f3ff4dfbaa10f2b252cf21 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Thu, 21 May 2026 17:51:51 +0200
Subject: [PATCH] SplashOutputDev: Fix integer overflow in tilingPatternFill
Use checkedMultiply() to check integer multiplication of surface size
and number of repetitions to avoid integer overflow and possible memory issues.
Fixes: #1715
---
poppler/SplashOutputDev.cc | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 705aae25..f10d6538 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -4327,7 +4328,7 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
matc[2] = ctm[2];
matc[3] = ctm[3];
- if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4) {
+ if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4 || checkedMultiply(surface_width, repeatX, &result_width) || checkedMultiply(surface_height, repeatY, &result_height)) {
state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);
return false;
}
@@ -4349,8 +4350,6 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
kx = matc[0];
ky = matc[3] - (matc[1] * matc[2]) / matc[0];
}
- result_width = surface_width * repeatX;
- result_height = surface_height * repeatY;
kx = result_width / (fabs(kx) + 1);
ky = result_height / (fabs(ky) + 1);
state->concatCTM(kx, 0, 0, ky, 0, 0);
--
2.54.0

View File

@ -3,7 +3,7 @@
Summary: PDF rendering library
Name: poppler
Version: 21.01.0
Release: 25%{?dist}
Release: 26%{?dist}
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
URL: http://poppler.freedesktop.org/
Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -63,6 +63,9 @@ Patch16: poppler-21.01.0-fix-pdfsig-man-page.patch
# https://issues.redhat.com/browse/RHEL-165202
Patch17: poppler-21.01.0-space-after.patch
# https://issues.redhat.com/browse/RHEL-180579
Patch18: poppler-21.01.0-tilingPatternFill-overflow.patch
BuildRequires: make
BuildRequires: cmake
BuildRequires: gcc-c++
@ -256,6 +259,10 @@ test "$(pkg-config --modversion poppler-qt5)" = "%{version}"
%{_mandir}/man1/*
%changelog
* Fri Jun 26 2026 Marek Kasik <mkasik@redhat.com> - 21.01.0-26
- Fix integer overflow in tilingPatternFill (CVE-2026-10118)
- Resolves: RHEL-180579
* Mon May 11 2026 Marek Kasik <mkasik@redhat.com> - 21.01.0-25
- Fix getText() for space after word
- Resolves: RHEL-165202