Sign Up
Log In
Sign Up
Username:
*
Email:
*
Password:
*
Password confirmation:
*
or
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Games:steam:SLE-15-SP3
poppler
poppler-CVE-2025-52886.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File poppler-CVE-2025-52886.patch of Package poppler
From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001 From: Sune Vuorela <sune@vuorela.dk> Date: Tue, 3 Jun 2025 00:35:19 +0200 Subject: [PATCH] Limit ammount of annots per document/page --- poppler/Annot.cc | 4 ++++ poppler/Page.cc | 16 ++++++++++++++++ 2 files changed, 20 insertions(+) Index: poppler-0.79.0/poppler/Annot.cc =================================================================== --- poppler-0.79.0.orig/poppler/Annot.cc +++ poppler-0.79.0/poppler/Annot.cc @@ -1511,6 +1511,10 @@ void Annot::removeReferencedObjects() { } void Annot::incRefCnt() { + if (refCnt > 100000) { + error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page); + return; + } refCnt++; } Index: poppler-0.79.0/poppler/Page.cc =================================================================== --- poppler-0.79.0.orig/poppler/Page.cc +++ poppler-0.79.0/poppler/Page.cc @@ -282,6 +282,22 @@ Page::Page(PDFDoc *docA, int numA, Objec goto err2; } + if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) { + error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength()); + goto err2; + } + if (annotsObj.isRef()) { + auto resolvedObj = getAnnotsObject(); + if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) { + error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength()); + goto err2; + } + if (!resolvedObj.isArray() && !resolvedObj.isNull()) { + error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName()); + goto err2; + } + } + // contents contents = pageObj.dictLookupNF("Contents").copy(); if (!(contents.isRef() || contents.isArray() ||
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Contact
Support
@OBShq
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
