1 files changed, 37 insertions, 0 deletions

diff --git a/backport-CVE-2020-23804.patch b/backport-CVE-2020-23804.patch
new file mode 100644
index 0000000..7f2262c
--- /dev/null
+++ b/backport-CVE-2020-23804.patch
@@ -0,0 +1,37 @@
+From ec8a43c8df29fdd6f1228276160898ccd9401c92 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 4 Jul 2020 00:08:55 +0200
+Subject: [PATCH] Fix stack overflow with specially crafted files
+
+The file is not malformed per se, it just has a huge XRefStm chain
+and we end up exhausting the stack space trying to parse them all.
+
+Having more than 4096 XRefStm seems like won't really happen on real
+life so break the flow at that point
+
+Fixes #936
+
+---
+ poppler/XRef.cc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index 5943bdd..fe8936e 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -633,6 +633,12 @@ bool XRef::readXRefTable(Parser *parser, Goffset *pos, std::vector<Goffset> *fol
+         ok = false;
+       }
+     }
++    // Arbitrary limit because otherwise we exhaust the stack
++    // calling readXRef + readXRefTable
++    if (followedXRefStm->size() > 4096) {
++        error(errSyntaxError, -1, "File has more than 4096 XRefStm, aborting");
++        ok = false;
++    }
+     if (ok) {
+       followedXRefStm->push_back(pos2);
+       readXRef(&pos2, followedXRefStm, xrefStreamObjsNum);
+-- 
+2.33.0
+