From 3ce9aadbf02e9de7a1dd9e1915bc719f60152f33 Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Mon, 26 Sep 2022 15:25:51 +0200 Subject: [PATCH] Check for overflow when computing number of symbols in JBIG2 text region Resolves: #2126364 --- poppler-21.01.0-jbig-symbol-overflow.patch | 26 ++++++++++++++++++++++ poppler.spec | 10 ++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 poppler-21.01.0-jbig-symbol-overflow.patch diff --git a/poppler-21.01.0-jbig-symbol-overflow.patch b/poppler-21.01.0-jbig-symbol-overflow.patch new file mode 100644 index 0000000..9a7cc0c --- /dev/null +++ b/poppler-21.01.0-jbig-symbol-overflow.patch @@ -0,0 +1,26 @@ +From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Thu, 25 Aug 2022 00:14:22 +0200 +Subject: JBIG2Stream: Fix crash on broken file + +https://github.com/jeffssh/CVE-2021-30860 + +Thanks to David Warren for the heads up + +diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc +index 662276e5..9f70431d 100644 +--- a/poppler/JBIG2Stream.cc ++++ b/poppler/JBIG2Stream.cc +@@ -1976,7 +1976,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless + for (i = 0; i < nRefSegs; ++i) { + if ((seg = findSegment(refSegs[i]))) { + if (seg->getType() == jbig2SegSymbolDict) { +- numSyms += ((JBIG2SymbolDict *)seg)->getSize(); ++ const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize(); ++ if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) { ++ error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region"); ++ return; ++ } + } else if (seg->getType() == jbig2SegCodeTable) { + codeTables->push_back(seg); + } diff --git a/poppler.spec b/poppler.spec index fc8e492..00673e4 100644 --- a/poppler.spec +++ b/poppler.spec @@ -3,7 +3,7 @@ Summary: PDF rendering library Name: poppler Version: 21.01.0 -Release: 13%{?dist} +Release: 14%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -32,6 +32,9 @@ Patch6: poppler-21.01.0-covscan.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2087190 Patch7: poppler-21.01.0-hints.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2124527 +Patch8: poppler-21.01.0-jbig-symbol-overflow.patch + BuildRequires: make BuildRequires: cmake BuildRequires: gcc-c++ @@ -225,6 +228,11 @@ test "$(pkg-config --modversion poppler-qt5)" = "%{version}" %{_mandir}/man1/* %changelog +* Mon Sep 26 2022 Marek Kasik - 21.01.0-14 +- Check for overflow when computing number of symbols +- in JBIG2 text region +- Resolves: #2126364 + * Fri Jun 17 2022 Marek Kasik - 21.01.0-13 - Don't run out of file for Hints - Rebuild for #2096451