summaryrefslogtreecommitdiff
path: root/backport-CVE-2022-38784.patch
diff options
context:
space:
mode:
Diffstat (limited to 'backport-CVE-2022-38784.patch')
-rw-r--r--backport-CVE-2022-38784.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/backport-CVE-2022-38784.patch b/backport-CVE-2022-38784.patch
new file mode 100644
index 0000000..ca8c95a
--- /dev/null
+++ b/backport-CVE-2022-38784.patch
@@ -0,0 +1,32 @@
+From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 25 Aug 2022 00:14:22 +0200
+Subject: [PATCH] JBIG2Stream: Fix crash on broken file
+
+https://github.com/jeffssh/CVE-2021-30860
+
+Thanks to David Warren for the heads up
+---
+ poppler/JBIG2Stream.cc | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index a861da2..0bd8305 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -2099,7 +2099,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm,
+ for (i = 0; i < nRefSegs; ++i) {
+ if ((seg = findSegment(refSegs[i]))) {
+ if (seg->getType() == jbig2SegSymbolDict) {
+- numSyms += ((JBIG2SymbolDict *)seg)->getSize();
++ const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
++ if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
++ error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
++ return;
++ }
+ } else if (seg->getType() == jbig2SegCodeTable) {
+ codeTables->push_back(seg);
+ }
+--
+1.8.3.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 13:49:20 +0000