mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
poppler: fix CVE-2025-52886
Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-52886 https://security-tracker.debian.org/tracker/CVE-2025-52886 Upstream patches: https://gitlab.freedesktop.org/poppler/poppler/-/commit/3449a16d3b1389870eb3e20795e802c6ae8bc04f https://gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
21e370fd3c
commit
c8a1b909ec
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,58 @@
|
|||||||
|
From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sune Vuorela <sune@vuorela.dk>
|
||||||
|
Date: Tue, 3 Jun 2025 00:35:19 +0200
|
||||||
|
Subject: [PATCH] Limit ammount of annots per document/page
|
||||||
|
|
||||||
|
CVE: CVE-2025-52886
|
||||||
|
Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5
|
||||||
|
|
||||||
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
||||||
|
---
|
||||||
|
poppler/Annot.cc | 4 ++++
|
||||||
|
poppler/Page.cc | 16 ++++++++++++++++
|
||||||
|
2 files changed, 20 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/poppler/Annot.cc b/poppler/Annot.cc
|
||||||
|
index b98df5d..3e9dfac 100644
|
||||||
|
--- a/poppler/Annot.cc
|
||||||
|
+++ b/poppler/Annot.cc
|
||||||
|
@@ -7450,6 +7450,10 @@ Annots::Annots(PDFDoc *docA, int page, Object *annotsObj)
|
||||||
|
const Object &obj2 = annotsObj->arrayGetNF(i);
|
||||||
|
std::shared_ptr<Annot> annot = createAnnot(std::move(obj1), &obj2);
|
||||||
|
if (annot) {
|
||||||
|
+ if (annot.use_count() > 100000) {
|
||||||
|
+ error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
if (annot->isOk()) {
|
||||||
|
annot->setPage(page, false); // Don't change /P
|
||||||
|
appendAnnot(annot);
|
||||||
|
diff --git a/poppler/Page.cc b/poppler/Page.cc
|
||||||
|
index 234f124..858b128 100644
|
||||||
|
--- a/poppler/Page.cc
|
||||||
|
+++ b/poppler/Page.cc
|
||||||
|
@@ -288,6 +288,22 @@ Page::Page(PDFDoc *docA, int numA, Object &&pageDict, Ref pageRefA, PageAttrs *a
|
||||||
|
goto err2;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
|
||||||
|
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
|
||||||
|
+ goto err2;
|
||||||
|
+ }
|
||||||
|
+ if (annotsObj.isRef()) {
|
||||||
|
+ auto resolvedObj = getAnnotsObject();
|
||||||
|
+ if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
|
||||||
|
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
|
||||||
|
+ goto err2;
|
||||||
|
+ }
|
||||||
|
+ if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
|
||||||
|
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
|
||||||
|
+ goto err2;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
// contents
|
||||||
|
contents = pageObj.dictLookupNF("Contents").copy();
|
||||||
|
if (!(contents.isRef() || contents.isArray() || contents.isNull())) {
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -16,6 +16,8 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
|
|||||||
file://CVE-2025-32365.patch \
|
file://CVE-2025-32365.patch \
|
||||||
file://CVE-2025-43903-0001.patch \
|
file://CVE-2025-43903-0001.patch \
|
||||||
file://CVE-2025-43903-0002.patch \
|
file://CVE-2025-43903-0002.patch \
|
||||||
|
file://CVE-2025-52886-0001.patch \
|
||||||
|
file://CVE-2025-52886-0002.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"
|
SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user