diff --git a/poppler-CVE-2024-56378.patch b/poppler-CVE-2024-56378.patch new file mode 100644 index 0000000..ba7d1e9 --- /dev/null +++ b/poppler-CVE-2024-56378.patch @@ -0,0 +1,60 @@ +Index: poppler-24.12.0/poppler/JBIG2Stream.cc +=================================================================== +--- poppler-24.12.0.orig/poppler/JBIG2Stream.cc ++++ poppler-24.12.0/poppler/JBIG2Stream.cc +@@ -766,7 +766,7 @@ void JBIG2Bitmap::duplicateRow(int yDest + + void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp) + { +- int x0, x1, y0, y1, xx, yy; ++ int x0, x1, y0, y1, xx, yy, yyy; + unsigned char *srcPtr, *destPtr; + unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3; + bool oneByte; +@@ -813,14 +813,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *b + oneByte = x0 == ((x1 - 1) & ~7); + + for (yy = y0; yy < y1; ++yy) { +- if (unlikely((y + yy >= h) || (y + yy < 0))) { ++ if (unlikely(checkedAdd(y, yy, &yyy))) { ++ continue; ++ } ++ if (unlikely((yyy >= h) || (yyy < 0))) { + continue; + } + + // one byte per line -- need to mask both left and right side + if (oneByte) { + if (x >= 0) { +- destPtr = data + (y + yy) * line + (x >> 3); ++ destPtr = data + yyy * line + (x >> 3); + srcPtr = bitmap->data + yy * bitmap->line; + dest = *destPtr; + src1 = *srcPtr; +@@ -843,7 +846,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *b + } + *destPtr = dest; + } else { +- destPtr = data + (y + yy) * line; ++ destPtr = data + yyy * line; + srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3); + dest = *destPtr; + src1 = *srcPtr; +@@ -873,7 +876,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *b + + // left-most byte + if (x >= 0) { +- destPtr = data + (y + yy) * line + (x >> 3); ++ destPtr = data + yyy * line + (x >> 3); + srcPtr = bitmap->data + yy * bitmap->line; + src1 = *srcPtr++; + dest = *destPtr; +@@ -897,7 +900,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *b + *destPtr++ = dest; + xx = x0 + 8; + } else { +- destPtr = data + (y + yy) * line; ++ destPtr = data + yyy * line; + srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3); + src1 = *srcPtr++; + xx = x0; diff --git a/poppler.changes b/poppler.changes index 311127e..3248fd9 100644 --- a/poppler.changes +++ b/poppler.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Dec 23 10:23:51 UTC 2024 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2024-56378 [bsc#1234795], out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc + + poppler-CVE-2024-56378.patch + ------------------------------------------------------------------- Thu Jul 4 07:39:57 UTC 2024 - pgajdos@suse.com diff --git a/poppler.spec b/poppler.spec index c0a7bb3..52673b4 100644 --- a/poppler.spec +++ b/poppler.spec @@ -46,6 +46,8 @@ Patch0: reduce-boost-required-version.patch Patch1: reduce-libtiff-required-version.patch # CVE-2024-6239 [bsc#1226916], crash when using pdfinfo with -dests parameter on malformed input files Patch2: poppler-CVE-2024-6239.patch +# CVE-2024-56378 [bsc#1234795], out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc +Patch3: poppler-CVE-2024-56378.patch BuildRequires: cmake >= 3.10 BuildRequires: gtk-doc BuildRequires: libboost_headers-devel >= 1.66 @@ -220,6 +222,7 @@ developed by Derek Noonburg of Glyph and Cog, LLC. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %if "%{flavor}" == "qt5"