rpms/poppler
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Check for overflow when computing number of symbols

Browse Source 
in JBIG2 text region

Resolves: #2126364
This commit is contained in:
Marek Kasik 2022-09-26 15:25:51 +02:00
parent 40f61341c1
commit 3ce9aadbf0
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
poppler-21.01.0-jbig-symbol-overflow.patch Normal file
View File

@ -0,0 +1,26 @@
From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Thu, 25 Aug 2022 00:14:22 +0200
Subject: JBIG2Stream: Fix crash on broken file
https://github.com/jeffssh/CVE-2021-30860
Thanks to David Warren for the heads up
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 662276e5..9f70431d 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -1976,7 +1976,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
- numSyms += ((JBIG2SymbolDict *)seg)->getSize();
+ const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
+ if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
+ error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
+ return;
+ }
} else if (seg->getType() == jbig2SegCodeTable) {
codeTables->push_back(seg);
}

10
poppler.spec
View File

@ -3,7 +3,7 @@
Summary: PDF rendering library Summary: PDF rendering library
Name: poppler Name: poppler
Version: 21.01.0 Version: 21.01.0
Release: 13%{?dist} Release: 14%{?dist}
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
URL: http://poppler.freedesktop.org/ URL: http://poppler.freedesktop.org/
Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -32,6 +32,9 @@ Patch6: poppler-21.01.0-covscan.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087190 # https://bugzilla.redhat.com/show_bug.cgi?id=2087190
Patch7: poppler-21.01.0-hints.patch Patch7: poppler-21.01.0-hints.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2124527
Patch8: poppler-21.01.0-jbig-symbol-overflow.patch
BuildRequires: make BuildRequires: make
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -225,6 +228,11 @@ test "$(pkg-config --modversion poppler-qt5)" = "%{version}"
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Mon Sep 26 2022 Marek Kasik <mkasik@redhat.com> - 21.01.0-14
- Check for overflow when computing number of symbols
- in JBIG2 text region
- Resolves: #2126364
* Fri Jun 17 2022 Marek Kasik <mkasik@redhat.com> - 21.01.0-13 * Fri Jun 17 2022 Marek Kasik <mkasik@redhat.com> - 21.01.0-13
- Don't run out of file for Hints - Don't run out of file for Hints
- Rebuild for #2096451 - Rebuild for #2096451