diff --git a/SOURCES/poppler-21.01.0-tilingPatternFill-overflow.patch b/SOURCES/poppler-21.01.0-tilingPatternFill-overflow.patch new file mode 100644 index 0000000..63ed36d --- /dev/null +++ b/SOURCES/poppler-21.01.0-tilingPatternFill-overflow.patch @@ -0,0 +1,38 @@ +From 678bed7fc23bc14eb5f3ff4dfbaa10f2b252cf21 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Thu, 21 May 2026 17:51:51 +0200 +Subject: [PATCH] SplashOutputDev: Fix integer overflow in tilingPatternFill + +Use checkedMultiply() to check integer multiplication of surface size +and number of repetitions to avoid integer overflow and possible memory issues. + +Fixes: #1715 +--- + poppler/SplashOutputDev.cc | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc +index 705aae25..f10d6538 100644 +--- a/poppler/SplashOutputDev.cc ++++ b/poppler/SplashOutputDev.cc +@@ -4327,7 +4328,7 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /* + matc[2] = ctm[2]; + matc[3] = ctm[3]; + +- if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4) { ++ if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4 || checkedMultiply(surface_width, repeatX, &result_width) || checkedMultiply(surface_height, repeatY, &result_height)) { + state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]); + return false; + } +@@ -4349,8 +4350,6 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /* + kx = matc[0]; + ky = matc[3] - (matc[1] * matc[2]) / matc[0]; + } +- result_width = surface_width * repeatX; +- result_height = surface_height * repeatY; + kx = result_width / (fabs(kx) + 1); + ky = result_height / (fabs(ky) + 1); + state->concatCTM(kx, 0, 0, ky, 0, 0); +-- +2.54.0 + diff --git a/SPECS/poppler.spec b/SPECS/poppler.spec index 9300c08..6e17091 100644 --- a/SPECS/poppler.spec +++ b/SPECS/poppler.spec @@ -3,7 +3,7 @@ Summary: PDF rendering library Name: poppler Version: 21.01.0 -Release: 24%{?dist} +Release: 24%{?dist}.1 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -60,6 +60,9 @@ Patch15: poppler-21.01.0-check-bitmap-in-combine.patch # https://issues.redhat.com/browse/RHEL-126070 Patch16: poppler-21.01.0-fix-pdfsig-man-page.patch +# https://issues.redhat.com/browse/RHEL-180580 +Patch17: poppler-21.01.0-tilingPatternFill-overflow.patch + BuildRequires: make BuildRequires: cmake BuildRequires: gcc-c++ @@ -253,6 +256,10 @@ test "$(pkg-config --modversion poppler-qt5)" = "%{version}" %{_mandir}/man1/* %changelog +* Sun May 31 2026 Marek Kasik - 21.01.0-24.el9_8.1 +- Fix integer overflow in tilingPatternFill (CVE-2026-10118) +- Resolves: RHEL-180580 + * Mon Dec 22 2025 Marek Kasik - 21.01.0-24 - Fix pdfsig's man page - Resolves: RHEL-126070