From acd87dffc7b41dc2015302e5d0d053083c78de2d Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Wed, 5 Oct 2022 10:27:19 +0200
Subject: [PATCH] Check for overflow when computing number of symbols

in JBIG2 text region

Resolves: #2124530
---
 poppler-22.08.0-jbig-symbol-overflow.patch | 26 ++++++++++++++++++++++
 poppler.spec                               | 10 ++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 poppler-22.08.0-jbig-symbol-overflow.patch

diff --git a/poppler-22.08.0-jbig-symbol-overflow.patch b/poppler-22.08.0-jbig-symbol-overflow.patch
new file mode 100644
index 0000000..cf4fd21
--- /dev/null
+++ b/poppler-22.08.0-jbig-symbol-overflow.patch
@@ -0,0 +1,26 @@
+From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 25 Aug 2022 00:14:22 +0200
+Subject: JBIG2Stream: Fix crash on broken file
+
+https://github.com/jeffssh/CVE-2021-30860
+
+Thanks to David Warren for the heads up
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 662276e5..9f70431d 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -1976,7 +1976,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
+     for (i = 0; i < nRefSegs; ++i) {
+         if ((seg = findSegment(refSegs[i]))) {
+             if (seg->getType() == jbig2SegSymbolDict) {
+-                numSyms += ((JBIG2SymbolDict *)seg)->getSize();
++                const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
++                if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
++                    error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
++                    return;
++                }
+             } else if (seg->getType() == jbig2SegCodeTable) {
+                 codeTables.push_back(seg);
+             }
diff --git a/poppler.spec b/poppler.spec
index 8c79c60..a4fd4c6 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -15,7 +15,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 22.08.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@@ -26,6 +26,9 @@ Patch1:  poppler-0.90.0-position-independent-code.patch
 
 Patch3:  poppler-21.01.0-glib-introspection.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2124527
+Patch4:  poppler-22.08.0-jbig-symbol-overflow.patch
+
 BuildRequires: make
 BuildRequires: cmake
 BuildRequires: gcc-c++
@@ -276,6 +279,11 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Wed Oct 05 2022 Marek Kasik <mkasik@redhat.com> - 22.08.0-3
+- Check for overflow when computing number of symbols
+- in JBIG2 text region
+- Resolves: #2124530
+
 * Tue Sep 6 2022 Amit Shah <amitshah@fedoraproject.org> - 22.08.0-2
 - Allow building without Qt