mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
poppler: fix CVE-2024-56378
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-56378 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
e9e496dc64
commit
ff5e933e58
@@ -0,0 +1,78 @@
|
|||||||
|
From ade9b5ebed44b0c15522c27669ef6cdf93eff84e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Albert Astals Cid <aacid@kde.org>
|
||||||
|
Date: Tue, 17 Dec 2024 18:59:01 +0100
|
||||||
|
Subject: [PATCH] JBIG2Bitmap::combine: Fix crash on malformed files
|
||||||
|
|
||||||
|
Fixes #1553
|
||||||
|
|
||||||
|
CVE: CVE-2024-56378
|
||||||
|
Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e]
|
||||||
|
|
||||||
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
||||||
|
---
|
||||||
|
poppler/JBIG2Stream.cc | 15 +++++++++------
|
||||||
|
1 file changed, 9 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
|
||||||
|
index 2276b5c..b9a62e1 100644
|
||||||
|
--- a/poppler/JBIG2Stream.cc
|
||||||
|
+++ b/poppler/JBIG2Stream.cc
|
||||||
|
@@ -762,7 +762,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
|
||||||
|
|
||||||
|
void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp)
|
||||||
|
{
|
||||||
|
- int x0, x1, y0, y1, xx, yy;
|
||||||
|
+ int x0, x1, y0, y1, xx, yy, yyy;
|
||||||
|
unsigned char *srcPtr, *destPtr;
|
||||||
|
unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
|
||||||
|
bool oneByte;
|
||||||
|
@@ -809,14 +809,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
|
||||||
|
oneByte = x0 == ((x1 - 1) & ~7);
|
||||||
|
|
||||||
|
for (yy = y0; yy < y1; ++yy) {
|
||||||
|
- if (unlikely((y + yy >= h) || (y + yy < 0))) {
|
||||||
|
+ if (unlikely(checkedAdd(y, yy, &yyy))) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ if (unlikely((yyy >= h) || (yyy < 0))) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
// one byte per line -- need to mask both left and right side
|
||||||
|
if (oneByte) {
|
||||||
|
if (x >= 0) {
|
||||||
|
- destPtr = data + (y + yy) * line + (x >> 3);
|
||||||
|
+ destPtr = data + yyy * line + (x >> 3);
|
||||||
|
srcPtr = bitmap->data + yy * bitmap->line;
|
||||||
|
dest = *destPtr;
|
||||||
|
src1 = *srcPtr;
|
||||||
|
@@ -839,7 +842,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
|
||||||
|
}
|
||||||
|
*destPtr = dest;
|
||||||
|
} else {
|
||||||
|
- destPtr = data + (y + yy) * line;
|
||||||
|
+ destPtr = data + yyy * line;
|
||||||
|
srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
|
||||||
|
dest = *destPtr;
|
||||||
|
src1 = *srcPtr;
|
||||||
|
@@ -869,7 +872,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
|
||||||
|
|
||||||
|
// left-most byte
|
||||||
|
if (x >= 0) {
|
||||||
|
- destPtr = data + (y + yy) * line + (x >> 3);
|
||||||
|
+ destPtr = data + yyy * line + (x >> 3);
|
||||||
|
srcPtr = bitmap->data + yy * bitmap->line;
|
||||||
|
src1 = *srcPtr++;
|
||||||
|
dest = *destPtr;
|
||||||
|
@@ -893,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
|
||||||
|
*destPtr++ = dest;
|
||||||
|
xx = x0 + 8;
|
||||||
|
} else {
|
||||||
|
- destPtr = data + (y + yy) * line;
|
||||||
|
+ destPtr = data + yyy * line;
|
||||||
|
srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
|
||||||
|
src1 = *srcPtr++;
|
||||||
|
xx = x0;
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
|
|
||||||
@@ -10,6 +10,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
|
|||||||
file://CVE-2023-34872.patch \
|
file://CVE-2023-34872.patch \
|
||||||
file://CVE-2024-6239-0001.patch \
|
file://CVE-2024-6239-0001.patch \
|
||||||
file://CVE-2024-6239-0002.patch \
|
file://CVE-2024-6239-0002.patch \
|
||||||
|
file://CVE-2024-56378.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
|
SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user