From: Sune Vuorela <sune@vuorela.dk>
Date: Tue, 29 Jul 2025 12:14:00 +0000 (+0200)
Subject: [PATCH] Fix crash in pdfseparate
X-Git-Tag: archive/raspbian/25.03.0-5+rpi1+deb13u2^2~1
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=7bffd29b93cb45cd6882f1f406adcdee5fb59bcd;p=poppler.git

[PATCH] Fix crash in pdfseparate

Don't continue recursing in PDFDoc::mark* if things looks a bit weirder
than expected

Gbp-Pq: Name CVE-2025-50420.patch
---

diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
index f0dae9b..7294d2c 100644
--- a/poppler/PDFDoc.cc
+++ b/poppler/PDFDoc.cc
@@ -1857,6 +1857,15 @@ bool PDFDoc::markAnnotations(Object *annotsObj, XRef *xRef, XRef *countRef, unsi
             if (obj1.isDict()) {
                 Dict *dict = obj1.getDict();
                 Object type = dict->lookup("Type");
+                if (type.isNull()) {
+                    Object subType = dict->lookup("SubType");
+                    // Type is optional, subtype is required
+                    // If neither of them exists, something is probably
+                    // weird here, so let us just skip this entry
+                    if (subType.isNull()) {
+                        continue;
+                    }
+                }
                 if (type.isName() && strcmp(type.getName(), "Annot") == 0) {
                     const Object &obj2 = dict->lookupNF("P");
                     if (obj2.isRef()) {