From 50de5fa2e0369787a72566391a69a0df1f07f9b1 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Fri, 9 Jun 2023 13:11:00 +0200
Subject: [PATCH] Don't crash in broken documents

Resolves: #2189848
---
 ...ler-21.01.0-pdfunite-broken-document.patch | 48 +++++++++++++++++++
 poppler.spec                                  |  9 +++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 poppler-21.01.0-pdfunite-broken-document.patch

diff --git a/poppler-21.01.0-pdfunite-broken-document.patch b/poppler-21.01.0-pdfunite-broken-document.patch
new file mode 100644
index 0000000..11e4004
--- /dev/null
+++ b/poppler-21.01.0-pdfunite-broken-document.patch
@@ -0,0 +1,48 @@
+From efb68686784f0c58668b7ced990fd173e09346db Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 18 Aug 2022 23:41:24 +0200
+Subject: pdfunite: Don't crash in broken documents
+
+
+diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc
+index 86e75555..a154f40d 100644
+--- a/utils/pdfunite.cc
++++ b/utils/pdfunite.cc
+@@ -106,16 +106,21 @@ static void doMergeNameDict(PDFDoc *doc, XRef *srcXRef, XRef *countRef, int oldR
+     }
+ }
+ 
+-static void doMergeFormDict(Dict *srcFormDict, Dict *mergeFormDict, int numOffset)
++static bool doMergeFormDict(Dict *srcFormDict, Dict *mergeFormDict, int numOffset)
+ {
+     Object srcFields = srcFormDict->lookup("Fields");
+     Object mergeFields = mergeFormDict->lookup("Fields");
+     if (srcFields.isArray() && mergeFields.isArray()) {
+         for (int i = 0; i < mergeFields.arrayGetLength(); i++) {
+             const Object &value = mergeFields.arrayGetNF(i);
++            if (!value.isRef()) {
++                error(errSyntaxError, -1, "Fields object is not a Ref.");
++                return false;
++            }
+             srcFields.arrayAdd(Object({ value.getRef().num + numOffset, value.getRef().gen }));
+         }
+     }
++    return true;
+ }
+ 
+ ///////////////////////////////////////////////////////////////////////////
+@@ -332,7 +337,13 @@ int main(int argc, char *argv[])
+             if (afObj.isNull()) {
+                 afObj = pageCatDict->lookupNF("AcroForm").copy();
+             } else if (afObj.isDict()) {
+-                doMergeFormDict(afObj.getDict(), pageForm.getDict(), numOffset);
++                if (!doMergeFormDict(afObj.getDict(), pageForm.getDict(), numOffset)) {
++                    fclose(f);
++                    delete yRef;
++                    delete countRef;
++                    delete outStr;
++                    return -1;
++                }
+             }
+         }
+         objectsCount += docs[i]->writePageObjects(outStr, yRef, numOffset, true);
diff --git a/poppler.spec b/poppler.spec
index 00673e4..57a651c 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -3,7 +3,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 21.01.0
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@@ -35,6 +35,9 @@ Patch7:  poppler-21.01.0-hints.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2124527
 Patch8:  poppler-21.01.0-jbig-symbol-overflow.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2189815
+Patch9:  poppler-21.01.0-pdfunite-broken-document.patch
+
 BuildRequires: make
 BuildRequires: cmake
 BuildRequires: gcc-c++
@@ -228,6 +231,10 @@ test "$(pkg-config --modversion poppler-qt5)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Fri Jun  9 2023 Marek Kasik <mkasik@redhat.com> - 21.01.0-15
+- Don't crash in broken documents
+- Resolves: #2189848
+
 * Mon Sep 26 2022 Marek Kasik <mkasik@redhat.com> - 21.01.0-14
 - Check for overflow when computing number of symbols
 - in JBIG2 text region